Study: FDA device recall databases don't collect hacking data

The U.S. has three major medical-device recall and safety alert databases, but none appear adequately equipped to track medical device vulnerabilities to malware or their need for software security updates, according to a new study.

In other words, as reported by Government Info Security and Network World, government and regulators must do more to track device problems relating to hacking. Details of the study are published in the open-access scientific journal PLoS ONE.

You probably recognize some of the study authors. They include Kevin Fu, for example, a University of Massachusetts researcher among the first who demonstrated a few years back that some pacemakers could be easily hacked in order to deliver a fatal electrical charge. Researchers with Harvard Medical School/Beth Israel Deaconess Medical Center also helped put together the study, which involved a multi-year look at how medical equipment manufacturers and their customers make public device recall or other product equipment issues.

There are three major databases. The U.S. Food and Drug Administration offers a database accessible to the public known as Medical and Radiation Emitting Device Recalls. Additionally, regulators maintain their MAUDE database on which manufacturers, hospitals and physicians are required to report any adverse events, Network World explains. And the FDA issues enforcement reports regarding safety alerts and recalls.

But the researchers' review of 9 years of data from each system showed the databases don't offer a consistent way to report software/security problems, according to the study. Put another way, the scientists found little information about any privacy or security-related product recalls or adverse events.

Cybersecurity regarding medical devices is only starting to get industry attention, after the issue fell on deaf ears. But companies, including Medtronic ($MDT), are increasingly willing to talk about potential problems with the hacking of medical devices such as pacemakers and defibrillators, many of which are vulnerable to interference because they rely on commercial PCs and wireless connections that leave them exposed.

- read the Network World story
- check out the Government Info Security piece