The study said that software-related recalls of medical devices were a “particularly prevent problem with potential security and safety ramifications.” It cited an example of a software-related problem that led to a recall: “The product has a software problem in which previous patient measurement data gets associated with another patient’s image”, according to an FDA advisory.
In addition, the study found that from 2002 through 2010, 523 of the 537 recalls (97.4%) that mentioned the word “software” cited software specifically as the reason for the recall. Of these, 428 (81.8%) mentioned a software upgrade, and only 258 (49.3%) described upgrade instructions.
To test the effectiveness of the FDA Safety Information and Adverse Event Reporting Program for reporting security and privacy problems with medical devices, one co-author of the study submitted a software vulnerability report for an automated external defibrillator on July 19, 2011.
As of January 19, 2012, the report had not yet been processed into the FDA’s Manufacturer and User Facility Device Experience (MAUDE) database. In April 2012, MAUDE was found to contain the report for the event under report number MW5023578. The report processing took nine months.
“Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers with respect to security and privacy risks. Recalls related to software may increase security risks because of unprotected update and correction mechanisms”, the authors of the study concluded.