Do Medical Device Users Need To Be Concerned About Malware?
Malware may not be something you can catch like a cold, but for the growing number of Americans who rely on medical devices it certainly can affect their health.
Manufacturers within the industry have increasingly turned to computer software and wireless connections in their production of insulin pumps, defibrillators, respiratory aides and other medical devices. Such functions are used for software-based control of therapies and network-based transmission of stored medical information for patients.
While these technology initiatives can certainly prove beneficial when it comes to one’s health, there is some concern that they can also leave devices susceptible to a number of cybersecurity vulnerabilities.
Manufacturers, hospitals, and the general public can currently track for faulty devices using three searchable online databases on the U.S. Food and Drug Administration’s (FDA) website: the Medical and Radiation Emitting Device Recalls database, the Manufacturer and User Facility Device Experience database and FDA Enforcement Reports. Each of these collects and organizes information on mechanical and software problems identified in medical equipment.
But is the industry and agency doing enough to track and subsequently protect the public from malware and other security and privacy risks associated with these devices?
Not really, according to a recent study co-published by six researchers associated with Harvard Medical School’s Beth Israel Deaconess Medical Center and the Department of Computer Science at the University of Massachusetts Amherst. After learning of the uptick in reported hospital incidents involving malware, the team of researchers began to sort through the three FDA-sponsored databases for medical device recalls associated with such problems.
During their assessment, the team identified two pertinent issues. First, software-related problems are becoming a major factor in medical device recalls. Second, the online databases did not appear to be effectively capturing security and privacy issues. Major inconsistences between the databases were identified when the team searched for all medical equipment recalls mentioning the word “software.”
The researchers believe this inconsistency between databases is partially due to a lack of “meaningful and convenient reporting mechanisms.” Also playing a role in this inconsistency are time constraints and the absence of incentives, federal safe harbor policies and clear actionable guidelines. But let’s not forget that the general lack of education regarding computer security issues can also impede clinicians’ ability to effectively identify security risks.
What steps can those within the industry and government do to safeguard consumers and their brands? According to the researchers, the United States should re-examine its strategy for collecting and sharing security-related information for medical devices. Those within the industry and regulators should also re-evaluate elements involving the security and privacy of devices and systems.
Are you surprised by the report’s findings and the inconsistency between the FDA-sponsored databases? Do you feel confident in the security and privacy of U.S. medical devices? Please share your comments below.
Stericycle ExpertRECALL™ is the industry leader in recall logistics and regulatory compliance for consumer product, pharmaceutical, medical device, juvenile product, and food and beverage recalls. ExpertRECALL’s professionals are experts in recall management who can help you streamline the entire product recall process.