FDA eye on medical device software after recall link

The Food and Drug Administration is knuckling down on software quality in medical devices after finding that nearly a quarter of recalls are due to a software failure.

The FDA’s Office of Science and Engineering Laboratories will dedicate more time testing software quality and security to reduce the failure rate cited in a 2011 annual report released June 15. The testing increase is needed to prevent injury or death as a result of software that has been poorly designed or written.

In a statement sent to Threatpost, a blog owned by Kaspersky Lab, the FDA said it is developing “techniques and laboratory expertise to assist our review staff in identifying potential vulnerabilities and evaluating risk mitigation measures.” The testing procedures being developed are in line with what are used in regulated industries.

An FDA spokesman was unavailable Thursday by phone, but the agency emailed a statement to CSO saying that it continues to “closely monitor [devices] for safety and security problems.”

“Manufacturers are responsible for identifying risks and hazards associated with medical device software/firmware, including risks related to security, and are responsible for putting appropriate mitigations in place to address patient safety,” the statement said. “Information related to theoretical device security problems is helpful. However, it is very important that the agency receive reports of devices that have had security breaches.”

Software within medical devices poses a risk to patient safety, as well as security of personal medical data stored in the devices. The risk has increased, as devices are being designed and operated as special purpose computers. Many of these devices are connected to networks that could be vulnerable to malware attacks.

In 2008, the FDA started building a national electronic safety system designed to monitor the performance of medical devices. The so-called Sentinel Initiative enables the FDA to query electronic healthcare systems, administrative and insurance claims databases and registries to pinpoint possible medical product safety issues. A pilot of the system is currently in use.

Nevertheless, security failures remain a major concern with medical devices. This month, Google reported blocking a malware riddled Web site that distributed software updates for a wide-range of medical equipment. Among the devices receiving updates from the CareFusion Web site was the equipment manufacturer’s AVEA Ventilators. A medical ventilator is a machine used to move air in and out of a hospital patient’s lungs.

People visiting the CareFusion site ran the risk of downloading malware from any of 20 pages, said the Medical Device Security Center, a nonprofit organization dedicated to the security of medical equipment. Google identified 48 viruses on the CareFusion Web server.

In 2011, computer science researchers at the University of California, Berkeley, the University of Massachusetts, Amherst, and Carnegie Mellon University found several vulnerabilities in an external defibrillator used to regulate a person’s heartbeat.  “Our assessment demonstrates real vulnerabilities in medical devices and their software and gives a first glimpse into the viability of malware that can be expected in software-based medical devices,” the team said in a paper (PDF).