Skip to main content

118. An Analysis of Medical Device Recalls

Medical Device Cybersecurity Implications on Patient Safety

Rachel Leone, Dr. Liljana Babinkostova, Dr. Marion Scheepers, Kristen Garcia, Sulema Jimenez, Tabarak Alomar

Leone final poster - view content on posts page
Select to view full poster image

Introduction

According to the Food and Drug Administration (FDA) a recall is the removal or correction of medical devices that do not abide by the laws governed by the FDA and threaten patient health and safety (1). Even though medical devices have become more advanced and are able to connect to networks and other devices, cybersecurity has become an issue while ensuring proper patient care. A recent study examined cybersecurity attacks in medical devices, then characterized the vulnerabilities based on reports from the CVE and ICS-CERT databases (3). This analysis of FDA reports (2) are the preliminary actions to categorize medical device recalls and eventually connect them to potential cybersecurity vulnerabilities.

Top Information Security Concerns

  • 57%: HIPAA violations/compromise of patient privacy
  • 40%: Internal vulnerabilities/employee theft/negligence
  • 32%: Medical device security
  • 31%: Aging IT hardware

(retrieved from Clear and Present Danger: Act Now on Medical Device Cybersecurity, reference 4 below)

Methods and Data

Data collection

Data was collected from the FDA Medical Device Recall Database from January 2010-March 2020 by entering “software” and “hardware” reasons into the search engine and yielded approximately 1300 results. The total number of software and hardware-related device recalls is shown by year in Figure 1.

Line graph, vulnerabilities per year from 2010-2020
Figure 1: Number of Vulnerabilities Per Year Recorded in the FDA Database.

The R Suite and R Studio were used to assess all 1300 entries of data and sorted the dataset by number of recalled devices per manufacturer. The number of device recalls for the ten manufacturers with the greatest amount of software and hardware-related recalls are shown in Figure 2.

Bar graph, number of recalls per manufactuer from Jan 2010-Mar 2020. Contact presenter for specific data
Figure 2: The ten manufacturers with the most device vulnerabilities between January 2010 – March 2020.

The entries from the top ten manufacturers were categorized by utilizing a keyword-based method the manufacturer’s reason for recall. Keywords were manually grouped together into categories, shown in Table 1. The proportions of these categories are shown in Figure 3.

Table, Contact presenter for specific data
Table 1: Categorizations for Manufacturer Reason for Recall
Pie chart: 3.1% multiple, 20% incorrect data, 6.7% loss of data, 18.9% images and results, 17.5% patients, 1.6% damages, 16.2% software, 8.5% system processing, 4.5% Saving, 2.9% other
Figure 3: The number of vulnerabilities per category for the devices that were recalled by the top 10 highest manufacturers.

Phrases composing the previous categories were manually analyzed for possible cybersecurity-related issues in Figure 4.

Bar graph, contact presenter for specific data
Figure 4: Number of Possible Vulnerabilities Per Cybersecurity-Related Manufacturer Reason for Recall Phrase.

Conclusion/Future Work

  • Our preliminary results indicate that there are many types of medical devices and reasons for recall. The manufacturer’s reason for recall is more specific than the FDA’s reason, so patients may not understand the errors in their devices and the impact these errors can have on their safety and privacy due to the report. Therefore, using the manufacturer’s reason may provide more transparency for the patient.
  • Among future goals, we want to develop a Natural Processing Language (NPL) software that can help us categorize and sort all of our current and future recalls into a more manageable database for ease of patient access, while also linking these reasons for recall to the CVE and ICS-CERT classifications of software and cybersecurity malfunctions.

References

  1. Center for Devices and Radiological Health, FDA. “Recalls, Corrections and Removals (Devices).” U.S. Food and Drug Administration, FDA,
  2. U.S. Food & Drug Administration. “Medical Device Recalls.” Accessdata.fda.gov,
  3. Y. Xu, D. Tran, Y. Tian and H. Alemzadeh, “Analysis of Cyber-Security Vulnerabilities of Interconnected Medical Devices,” 2019 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), Arlington, VA, USA, 2019, pp. 23-24.
  4. Remick, D., Clear And Present Danger: Act Now On Medical Device Cybersecurity, 2016.

Acknowledgements

This research was supported by NSF REU Site Grant DMS-169872. We thank the Boise State College of Innovation and Design for their support of the project as well as our mentors Dr. L. Babinkostova, R. Erbes (Idaho National Lab), J. Radcliffe (Thermo Fisher Scientific), and Dr. M. Scheepers. We would also like to thank D. Leone, D. Valiente, and G. Frandsen for discussing our data analysis.

Additional Information

For questions or comments about this research, contact Rachel Leone at rachelleone@u.boisestate.edu.

Virtual Poster Sessions

Return to Virtual Poster Sessions Main Page