Report: FDA Should Improve Device Security Data Tracking

TOPIC ALERT:

FDA should improve how it tracks data on privacy and security issues relating to medical devices, according to a report published in the journal PLoS ONE, GovInfoSecurity reports.

Report Details

Researchers from Harvard Medical School's Beth Israel Deaconess Medical Center and the University of Massachusetts Amherst analyzed nine years worth of data from public FDA databases that are used to evaluate recalls and adverse events involving medical devices (Kolbasuk McGee, GovInfoSecurity, 7/19).

The databases used in the study are:

Key Findings

The report found that the databases can be used to find records about adverse event reporting and recalls of devices that had problems with labeling, battery failure, sterility and software.

However, researchers found little or no data about product recalls stemming from privacy and security issues (GovInfoSecurity, 7/19).

The report states that findings show "sharp inconsistencies with databases at individual providers in respect to security and privacy risks."

The authors wrote, "We believe the inconsistency between databases is due to a lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer."

They added, "Time pressure, lack of incentives, lack of federal safe harbor policies and lack of clear actionable guidance further reduce the probability of incident reporting by clinicians and [IT] staff."

Implications

According to the study, medical devices are known to be increasingly compromised by malware, which can turn the devices into botnets that often are used for spam relays.

The authors wrote that malware infections often lead to "unavailability of care because of computer outages."  They added, "In one extreme instance, a computer virus infection in a catheterization lab required transport of patients to a different hospital."

Recommendations

The report concluded that the U.S. should re-think how it collects and shares security data related to medical devices.

Researchers added that device manufacturers and regulators should re-evaluate "security and privacy elements of their devices and systems" (NetworkWorld, 7/19).

FDA Response

In response to the report, FDA in a statement said, "FDA shares the concern over the security and privacy of medical devices, and emphasizes security as a key element in device design."

The agency added, "Current adverse event data do not indicate that breaches of device security measures is a widespread problem. However, [FDA] continues to closely monitor for safety or security problems" (GovInfoSecurity, 7/19).

to share your thoughts on this article.