Massachusetts researchers analyzing decades of FDA reports concluded that the agency’s safety protocols may not be enough to protect medical devices in the software age.
As more and more medical devices boast features allowing them to collect and wirelessly transmit patient information, the FDA’s existing systems for tracking safety concerns and spotting patterns may not be up to the task.
The Strategic Healthcare IT Advanced Research Projects on Security (Sharps) team warned that the FDA needs to step up its medical device reporting and surveillance systems to keep up with privacy and security issues in medical device software.
The federal watchdog agency should “rethink how to effectively and efficiently collect data on security and privacy problems in devices that increasingly depend on computing systems susceptible to malware,” UMass Amherst security expert Kevin Fu, among the first to “hack” a medical implant in a lab setting, said in prepared remarks.
The group, representing a coalition of researchers from Beth Israel Deaconess Medical Center, Harvard Medical School and the University of Massachusetts Amherst, conceded that cybersecurity threats to medical implants have yet to manifest in the real world, but clinical computing systems have been targeted before.
“Lack of reported incidents also results from a lack of effective reporting mechanisms from clinical settings to the government about cybersecurity threats in medical devices,” U.S. National Institute of Standards & Technology information and privacy board chair Daniel Chenok said in a statement sent to MassDevice.com.
Earlier this year respiratory devices maker CareFusion (NYSE:CFN)confirmed that its website, which provides software updates for healthcare providers using respiratory devices, was infected with malware which may have been then transmitted to users’ computers.
In trolling the FDA’s databases, the SHARPS team didn’t uncover any recalls or adverse events associated with security or privacy issues, but did find “a high prevalence of recalls related to software, plus fewer recalls related to patient data storage or wireless communication.”
“While the lack of glaring security or privacy concerns through this search strategy may be reassuring, the authors also conclude that the current classification methods in these databases are not well suited to merging types of device malfunctions,” according to the press release.
One researcher submitted a software vulnerability report on an automated external defibrillator, which was only processed and made public 9 months later.
Researchers stressed that the problem remains with vulnerabilities that exist in medical devices, not in the agency’s slow handling of them.
“Of course, in an ideal world, devices would be free of security and privacy vulnerabilities, so it wouldn’t matter if the announcement process is slow,” Sharps group director Carl Gunter said in a press statement. “But the technical obstacles are significant and FDA surveillance will be a key line of defense. The authors have done an important service pointing out the need to improve that system.”