Medical Device Cybersecurity Implications on Patient Safety
Rachel Leone, Dr. Liljana Babinkostova, Dr. Marion Scheepers, Kristen Garcia, Sulema Jimenez, Tabarak Alomar
According to the Food and Drug Administration (FDA) a recall is the removal or correction of medical devices that do not abide by the laws governed by the FDA and threaten patient health and safety (1). Even though medical devices have become more advanced and are able to connect to networks and other devices, cybersecurity has become an issue while ensuring proper patient care. A recent study examined cybersecurity attacks in medical devices, then characterized the vulnerabilities based on reports from the CVE and ICS-CERT databases (3). This analysis of FDA reports (2) are the preliminary actions to categorize medical device recalls and eventually connect them to potential cybersecurity vulnerabilities.
Top Information Security Concerns
- 57%: HIPAA violations/compromise of patient privacy
- 40%: Internal vulnerabilities/employee theft/negligence
- 32%: Medical device security
- 31%: Aging IT hardware
(retrieved from Clear and Present Danger: Act Now on Medical Device Cybersecurity, reference 4 below)
Methods and Data
Data was collected from the FDA Medical Device Recall Database from January 2010-March 2020 by entering “software” and “hardware” reasons into the search engine and yielded approximately 1300 results. The total number of software and hardware-related device recalls is shown by year in Figure 1.
The R Suite and R Studio were used to assess all 1300 entries of data and sorted the dataset by number of recalled devices per manufacturer. The number of device recalls for the ten manufacturers with the greatest amount of software and hardware-related recalls are shown in Figure 2.
The entries from the top ten manufacturers were categorized by utilizing a keyword-based method the manufacturer’s reason for recall. Keywords were manually grouped together into categories, shown in Table 1. The proportions of these categories are shown in Figure 3.
Phrases composing the previous categories were manually analyzed for possible cybersecurity-related issues in Figure 4.
- Our preliminary results indicate that there are many types of medical devices and reasons for recall. The manufacturer’s reason for recall is more specific than the FDA’s reason, so patients may not understand the errors in their devices and the impact these errors can have on their safety and privacy due to the report. Therefore, using the manufacturer’s reason may provide more transparency for the patient.
- Among future goals, we want to develop a Natural Processing Language (NPL) software that can help us categorize and sort all of our current and future recalls into a more manageable database for ease of patient access, while also linking these reasons for recall to the CVE and ICS-CERT classifications of software and cybersecurity malfunctions.
- Center for Devices and Radiological Health, FDA. “Recalls, Corrections and Removals (Devices).” U.S. Food and Drug Administration, FDA,
- U.S. Food & Drug Administration. “Medical Device Recalls.” Accessdata.fda.gov,
- Y. Xu, D. Tran, Y. Tian and H. Alemzadeh, “Analysis of Cyber-Security Vulnerabilities of Interconnected Medical Devices,” 2019 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), Arlington, VA, USA, 2019, pp. 23-24.
- Remick, D., Clear And Present Danger: Act Now On Medical Device Cybersecurity, 2016.
This research was supported by NSF REU Site Grant DMS-169872. We thank the Boise State College of Innovation and Design for their support of the project as well as our mentors Dr. L. Babinkostova, R. Erbes (Idaho National Lab), J. Radcliffe (Thermo Fisher Scientific), and Dr. M. Scheepers. We would also like to thank D. Leone, D. Valiente, and G. Frandsen for discussing our data analysis.
For questions or comments about this research, contact Rachel Leone at email@example.com.