Controlling for Cybersecurity Risks of Medical Device Software

Abstract

While computer-related failures are known to play a significant role in deaths and injuries involving medical devices reported to the U.S. Food and Drug Administration (FDA), there is no similar reporting system that meaningfully captures security-related failures in medical devices. Medical device software must satisfy system properties, including safety, security, reliability, resilience, and robustness, among others. This column focuses on the challenges to satisfying a security property for medical devices: postmarket surveillance, integrity and availability, and regulation and standards. Medical devices depend on software for patient care ranging from radiation therapy planning to pharmaceutical compounding to automated diagnosis of disease with mobile medical apps. Meanwhile, the medical community has observed an uptick in reported security vulnerabilities in medical device software—raising doubts of cybersecurity preparedness. It should come as little surprise that security risks in medical devices “could lead to patient harm” as recently explained by the chief scientist at the FDA Center for Devices and Radiological Health. Device manufacturers and healthcare providers ought to more carefully and deliberately consider security hazards during the phases from design to use of medical devices. Measuring Medical Device Security: Quantitative or Qualitative? Between years 2006 and 2011, 5,294 recalls and approximately 1.2 million adverse events of medical devices were reported to the FDA’s Manufacturer and User Facility Device Experience (MAUDE) database. Almost 23% of these recalls were due to computer-related failures, of which approximately 94% presented medium to high risk of severe health consequences (such as serious injury or death) to patients. For security incidents on medical devices, no systematic national reporting system exists. Yet, individual hospitals know of hundreds of security incidents on medical devices. For instance, the FDA MAUDE does not capture adverse events such as lack of or impaired availability of function when malware infects a medical device’s operating system. FDA’s own disclaimer explains that the MAUDE database is qualitative rather than quantitative. MAUDE is incomplete with underreporting and reporting bias. Imagine the reaction of a clinician using a high-risk pregnancy monitor that begins to perform more slowly because of a Conficker infection. Would the clinician report a malware infection? Likely not. Admitting to playing a role in accidentally infecting a medical device Controlling for Cybersecurity Risks of Medical Device Software