The U.S. Food and Drug Administration's current recall classification scheme for medical devices does not adequately capture privacy and security issues and should be revamped, concludes research published this month in the journal PLoS One.
While the FDA's databases were found to be adequately stocked with records for devices recalled due to problems such as labeling and software issues, hardly any information was available when it came to privacy issues. Kevin Fu, an associate professor of computer science and electrical computer engineering at UMass Amherst and one of the study's authors, told GovInfoSecurity that the biggest problem facing medical devices today is "the inability to deliver effective care" following a malware disruption.
"Reports must be collected to answer precise questions about these threats," he told GovInfoSecurity. "However, the reporting mechanisms we evaluated do not seem ready to catch security issues."
Fu added that such updated mechanisms would need to be both simple and able to be seamlessly integrated into a clinician's workflow routine.
The report's authors suspected that time pressure and lack of incentives have contributed to the gap in database quality, but also added that "clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer."
In addition to medical devices, the research could have an impact in mHealth. Early last week, President Obama signed the FDA Safety and Innovation Act into law. The legislation shores up the organization's role creating guidance for mobile medical applications.
In April, the Information Security and Privacy Advisory Board sent a letter to the Office of Management and Budget and the U.S. Department of Health & Human Services that expressed concern that no one agency has the primary responsibility to ensure the cybersecurity of software-controlled medical devices. The letter added that there's an economic disincentive for providers to report such incidents, since they may be seen as liable.
To learn more:
- here's the PLoS One research
- read the GovInfoSecurity article