“Many software platforms lack robust code validation”, FDA’s Office of Science and Engineering Laboratories (OSEL) said in its 2011 annual report. “In medical devices that contain software, it can be extremely difficult to assess if a firm follows their processes for design controls, especially in the areas of validation, risk/hazard analysis, and design changes”, the report said.
For example, software flaws caused around 24% of medical device recalls at one medical device manufacturer’s facility in 2011, according to an OSEL inspection team.
The inspection team found customer complaints about incorrect or missing patient results in a laboratory information system, and incorrect or missing notifications to clinicians that test results were out of range. "These types of failures can directly lead to patient harm or death if inappropriate drug dosing (too little or too much) or clinical decisions are made based on incorrect information”, the report warned.
Recently, the viasystemshealthcare.com website, which provides software updates for CareFusion’s medical devices, was apparently compromised for two months, according to an analysis by Clean MX cited by Paul Roberts of Kaspersky Lab’s Threatpost blog. CareFusion makes Alaris-brand infusion pumps and AVEA, AirLife, and LTV series ventilation and respiratory products.
The Clean MX analysis of viasyshealthcare.com suggested that the site was redirecting visitors to a web domain, gbfhju.com, which was among those used by the "LizaMoon" gang to serve up malware to unsuspecting web surfers, Roberts noted.
Roberts said the viahealthcare.com website was offline on Monday, and it remains offline as of Thursday afternoon, based on Infosecurity research.