Medical Device Security Info LackingReport Urges FDA to Ramp Up Data Collection
The Food and Drug Administration needs to do a better job of collecting information on privacy and security issues related to medical devices to catch problems before they rapidly spread, according to a new report.
To promote healthcare providers' reporting of security and privacy issues, "legal and contractual risks must be resolved to incentivize reporting," says one of the study's researchers, Kevin Fu, associate professor of computer science and electrical and computer engineering at UMass Amherst.
"I challenge the government to create a system where it is easier and faster to submit a meaningful security report than it is to discharge a patient," he says.
The findings of the report support similar recent recommendations from the Information Security and Privacy Advisory Board, which urged improved surveillance, regulations and interventions related to the security of medical devices.
The new study, "Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance," was conducted by researchers at Harvard Medical School, Beth Israel Deaconess Medical Center in Boston and the University of Massachusetts Amherst computer science department.
Researchers evaluated nine years worth of data from FDA publicly available databases that are used to evaluate recalls and adverse events involving medical devices that range from implanted devices, such as pacemakers and insulin pumps, to external devices, including defibrillators.
Many of those devices can store patient data and communicate wirelessly. Those products pose potential patient safety and privacy issues because they are vulnerable to malware, hacking, as well as problems involving software upgrades that don't get properly implemented, the report notes.
Databases Lack Information
The researchers found that information from the FDA databases can be extracted to find records about the reporting of adverse events and recalls of devices that had problems with labeling, battery failure, sterility and software issues. However, little or no information was available about product recalls and adverse events related to privacy and security problems.
"The biggest security risk today is the inability to deliver effective care when malware disrupts a clinical computing system," Fu says.
A recent example of security issues tied to a medical device, Fu says, involved a virus-infected web server was used for distributing software updates to a certain brand of ventilators, but instead for months was directing users to another site that was also serving up malware. He suspects issues with the ventilator "could have been caught earlier had security problems been collected."
"Reports must be collected to answer precise questions about threats. However, the reporting mechanisms we evaluated do not seem ready to catch security issues," he says.
An improved security reporting system must be simple and effective and not interrupt the workflow of busy healthcare professionals in order to get buy-in, Fu adds.
More forensic and epidemiological study needs to be done to identity and quantify the dangers of security-compromised medical devices, says Dale Nordenberg, M.D., founder of the Medical Device Innovation, Safety and Security Consortium. This new study is a step in right direction, he says.
"This is an important study because it validates the concerns of hospitals and healthcare providers around medical device security," says Nordenberg, a pediatrician who is also CEO of Novasano Health and Science, a consulting firm.
"The study shows we're not accurately quantifying the scope of the problem," he says. The research clearly demonstrates that changes are needed in policy and regulations, he contends.
The FDA issued a statement in response to the report: "The FDA shares the concern over the security and privacy of medical devices, and emphasizes security as a key element in device design. Any system with wireless communication can be subject to interception of data and compromised privacy as well as interference with performance that can compromise the safety and effectiveness of the device. Current adverse event data do not indicate that breaches of device security measures is a widespread problem. However, the FDA continues to closely monitor for safety or security problems."
The FDA also notes that it "continues developing important relationships with academia with the goal of staying ahead of the technological curve and is developing specific techniques and laboratory expertise to assist our review staff in identifying potential vulnerabilities and evaluating risk mitigation measures employed by regulated industry. The FDA is engaged in consensus standard-setting for cybersecurity in medical devices and also actively works with federal colleagues who have authority for privacy evaluations."