Nearly one-third of all recalled medical devices contain computers, and half of those are recalled because of computer-related problems, according to a recent study.
‘Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance’ was funded by the Department of Health and Human Services. The study analyzes the FDA’s weekly enforcement reports, medical and radiation emitting device recalls, and the manufacturer and user facility device experience database to explore the basis of a growing concern about security and privacy implications stemming from the increased production of and reliance upon internet-connected and Wi-Fi-ready medical devices.
Between 2002 and 2010, 523 of the 537 recalls that mentioned the word ‘software’ in recall reports cited software problems as the specific reason for recall.
Only 35 of the 605 (recalled) computer-equipped medical devices were recalled due to a flaw in patient data storage and only 31 of those were recalled because of a wireless communication bug.
To test response time, one of the study’s co-authors submitted a software vulnerability for an automated external defibrillator. That report took nine months to process, which the study claims is problematic considering that it is only a matter of hours between the discovery of a conventional computer security vulnerability and its exploitation.
According to the report, there have been hundreds of reports of conventional viruses infecting all sorts of medical devices. Beyond that, researchers have and continue to identify new vulnerabilities in medical devices. Despite this, the study claims that “there are no known case reports of malevolent interference that specifically target medical device function.”