Telemedicine: POST-MARKET SURVEILLANCE OF SECURITY AND PRIVACY PROBLEMS
Lead Institution: University of Massachusetts Amherst
Project Leader: Kevin Fu
Once deployed, the follow up of medical devices is done through databases at the FDA. Being clinician centric, only a small number of security issues have been reported, although the software running on medical devices account for a large portion of the reported issues.
Focus of the research/Market need for this project
Without understanding the security risks in modern communicating medical devices, the safety of patients relying on health IT systems can be compromised. Having a clear picture of the inter-dependencies of devices during the FDA approval process can also help in understanding the cause and nature of software issues.
Understanding the prevalence of security and privacy risks in clinical settings by surveying the FDA recall databases.
Key Conclusions/Significant Findings/Milestones reached/Deliverables
Survey of security based recalls using FDA’s databases spanning varying ranges from 2 to 11 years.
Evaluated the impact that the results of the FDA data analysis have on patient and provider perceptions regarding telemedicine security and privacy.
Analysis completed and report disseminated to medical device engineers via open-access journal.
Recalls and adverse events from federal government databases reveal sharp inconsistencies with databases at individual providers with respect to security and privacy risks.
The survey method could be applicable to other risks (such as safety) in medical devices. A follow- up survey of the FDA’s 510k equivalence database allowed a much clearer picture and enabled graph based techniques to analyze the medical device equivalence relationships. A sample of the graph (about 1% of the nodes) is shown below.
Materials Available for Other Investigators/interested parties
Publication available as open access, the code is Open Source: https://github.com/denisfookune/510k
Market entry strategies
- Outreach to manufacturers, NIST, and FDA to encourage better collection of post-market data on security and privacy risks.
- Future effort with FDA on a follow-up program and manuscript preparation for submission to JAMIA summer of 2014.
Making the Invisible Visible: Analyzing the 510(k) Device Dependencies
Tingyi Wei, Denis Foo Kune, and Kevin Fu
USENIX Workshop on Health Information Technologies, August 2013