This study evaluated postmarket events in medical devices related to security and privacy using complementary databases compiling enforcement reports, recalls, and adverse events. Detailed review of enforcement reports revealed that recalls of devices with computers were common, though features such as wireless communication and storage of personal data were less common in those recalled devices. The FDA recall database did not yield any recalls related to patient security or privacy over a 9 year period of analysis. While the lack of any security or privacy concerns through these two mechanisms may be reassuring, it seems more likely that the current recall classification scheme does not adequately capture device malfunctions of this type. In addition, it is concerning that processing an adverse event report may take several months, given that a global exploitation of a security and privacy vulnerability may spread in a shorter period of time.
Our results also contrast with databases that track security and privacy problems for the Department of Veterans’ Affairs (VA). The Field Security Office in the Office of Information Security at the VA collects statistics on the prevalence of malicious software (malware) infections within its 156 medical centers. Between January 2009 and December 2011, the VA detected 142 separate instances of malware infections affecting 207 medical devices found in radiation oncology, radiology, clinical lab, GI lab, ophthalmology imaging, cardiology imaging, pharmacy, sleep lab, cardiac catheterization lab, pulmonary, dental, audiology, dictation, and neurology.
A common outcome was the unavailability of care because of computer outages. In one extreme instance, a computer virus infection in a catheterization lab required transport of patients to a different hospital. Common causes of infections include use of the Internet and USB flash memory drives from vendors who are paradoxically updating software on medical devices. In one instance, a factory-installed device arrived already infected with malware. All detected malware pertained to conventional computer viruses rather than malware customized for medical devices. The most prevalent malware converted the medical devices into becoming nodes of “botnet” criminal networks. Organized crime rents out botnets for others to distribute spam anonymously and for mounting targeted attacks on information infrastructure.
We believe that the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer. Time pressure, lack of incentives, lack of federal safe harbor policies, and lack of clear actionable guidance likely further reduce the probability of incident reporting by clinicians and information technology staff.
Similarly, our review of the MAUDE database of adverse event reports did not identify any events related to privacy or security, despite inclusion of nearly 1000 possible product problems to facilitate targeted searching. Again, the negative findings here may be viewed in two ways. The absence of a glaring safety signal provides some reassurance that, for example, unauthorized access to patient information does not appear to be rampant. However, our manual review of the entire list of search product problems – from “abnormal” to “Y2K related problem”
– found only a handful of terms with a prima facie connection to security or privacy. This again suggests that the classification of postmarket events may not be well-positioned to prospectively collect security or privacy related problems. The detailed, verbatim review of the actual information provided in those adverse reports which mapped to security or privacy terms () raises suspicions that current surveillance mechanisms may be insufficiently tailored to these specific problems.
This same concern is demonstrated in part by our findings related to software recalls. Most of these recalls indicated that a software update would be issued to correct the problem in question, but the mechanism of update itself remained unclear. These mechanisms might include web/internet based solutions, direct interventions by field engineers, or other interventions, each of which might introduce security risks. Our review of adverse events, however, suggests that even if an event were to occur – such as failure to update properly or deliberate interference with a software update – the current classification of “product problems” might not categorize these events clearly.
Our study reinforces findings of a prior evaluation of adverse events related to health information technology.
This much broader search strategy, also using MAUDE, found that only 0.1% of nearly 900,000 reports over a 2-year period were related to health information technology. These problems included a mix of software malfunctions, system configuration, and human errors. As with our report, these investigators suggested that the relatively low rate of findings may reflect known shortcomings of MAUDE, variability in reporting and the difficulty in even recognizing device malfunctions that are “unusual” or outside of traditional notions of device performance. Similarly, they identified a need for better design of prospective systems for capturing adverse events specific to the growing complexity of medical devices. Our contributions differ in two respects. First, our analysis is based on data from MAUDE as well as the FDA’s Enforcement Reports and Medical & Radiation Emitting Device Recalls. Second, our findings concern the issue of revising the current approach to postmarket surveillance to adequately identify problems related to the security and privacy of medical devices.
Our study has important limitations. As noted, our search strategy may not have been sufficient to identify reports or events related to privacy or security, although our manual review of search terms and reports was intentionally broad. All three databases focus on postmarket events that themselves required several links in a complex chain to become publicly known. Most importantly, device problems related to privacy and security must manifest clinically to become reportable, and by their very nature these issues may be difficult to detect. However, this strengthens our suggestion that better prospective mechanisms are needed to track device performance in this area.
The rapid proliferation of medical devices, and their growing sophistication, presents Internet-age challenges for multiple stakeholders. Without an understanding of security and privacy, it will be difficult for patients and clinicians to establish confidence in device safety and effectiveness. While this study provides some comfort in the lack of observed security or privacy breaches, the related adverse events or device malfunctions are not served well by the current approach to postmarket surveillance. This conclusion challenges regulators and manufacturers to carefully weigh the premarket evaluation of security and privacy elements of their devices and systems, and to design postmarket systems that enable effective collection of cybersecurity threat indicators for medical devices. While intentional interference may be much less likely to manifest clinically than other types of traditional malfunctions, it is clear that no effective system exists to detect signals of security or privacy problems. This conclusion is confirmed by the sharp contrast of security and privacy problems tabulated by the VA and the security and privacy problems tabulated with FDA databases. To detect a security or privacy problem that could harm patients, a more effective information sharing system for medical device cybersecurity should be established.