Medical devices such as smart insulin pumps, pacemakers, defibrillators and MRI scanners have revolutionized healthcare in recent decades, and the sector is increasingly reliant on such IT products. A 2012 Economist article reported that half the medical devices sold in America, the world's largest healthcare market, rely on software. As such technology becomes commonplace, onlookers have warned of security risks from both intentional and unintentional sources, and researchers have undertaken projects to ensure a higher standard of coding.
Widespread safety concerns
Researchers have documented widespread flaws with medical device software, the Economist reported. A study from Greece's University of Patras found that one-third of all software-based medical devices sold in America between 1999 and 2005 had been recalled for software failures, while University of Massachusetts computer science professor Kevin Fu has estimated that there have been 1.5 million device recalls since 2002.
Unintentional errors resulting from embedded software malfunctions in drug-infusion pumps led to nearly 20,000 injuries and more than 700 deaths from 2005 to 2009, according to the Food and Drug Administration (FDA). Additionally, many devices may be vulnerable to hackers. The Economist noted that studies have found ways to maliciously disrupt devices such as insulin pumps and implantable defibrillators.
In August 2012, the U.S. Government Accountability Office (GAO) responded to these research findings by releasing a report that advised the FDA to adopt a plan focused on information security risks. The report highlighted the shortcomings of the FDA approval process for a flawed insulin pump and defibrillator, specifically. In these instances, the FDA did not consider intentional risks, and it also overlooked the unintentional risks in four of the eight information security control areas identified by the GAO. The GAO also noted that postmarket flaw reporting procedures were more focused on device malfunctions than on identifying software security issues.
"To ensure the safety and effectiveness of active implantable medical devices as technology evolves, FDA concurs with GAO that the agency continuously develop and implement new strategies designed to assist the agency in its medical device premarket review and post-market surveillance efforts relative to information security," FDA spokeswoman Michelle Bolek told Modern Healthcare.
Building more secure devices
According to the Economist, one of the challenges facing the validation of medical device software safety is that the development process remains largely closed and proprietary. While the FDA could demand to see the source code for every device it approves, it generally leaves the responsibility of performing thorough analysis to the manufacturer. Vendors are advised to use static analysis tools to ensure FDA compliance, although the adoption of such products remains limited.
In response to a perceived lack of transparency on the part of medical device manufacturers, a number of open source development initiatives have taken on the project of developing products such as insulin pumps. The hope is that using an open source platform will allow manufacturers to build safer products from the outset, the Economist reported. However, many of these projects struggle to obtain FDA approval since they lack the type of rigorous documentation of the development process the agency requires.
Initiatives are underway to develop a more collaborative, interoperable environment among devices, and some analysts have expressed hope that medical devices might someday evolve into a collection of accessories drawing on the same secure, open source computing framework, the Economist noted. Regardless of the approach used, such devices are due for more thorough security procedures such as the use of source code analysis tools, according to experts.
"When a plane falls out of the sky, people notice," Fu told the Economist, noting that action toward safer code was needed as soon as possible. "But when one or two people are hurt by a medical device, or even if hundreds are hurt in different parts of the country, nobody notices."
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.