Lead Institution: University of Massachusetts Amherst

Project Leader: Kevin Fu

Research Progress

  • Abstract
    Once deployed, the follow up of medical devices is done through databases at the FDA. Being clinician centric, only a small number of security issues have been reported, although the software running on medical devices account for a large portion of the reported issues.

  • Focus of the research/Market need for this project
    Without understanding the security risks in modern communicating medical devices, the safety of patients relying on health IT systems can be compromised. Having a clear picture of the inter-dependencies of devices during the FDA approval process can also help in understanding the cause and nature of software issues.

  • Project Aims/Goals
    Understanding the prevalence of security and privacy risks in clinical settings by surveying the FDA recall databases.

  • Key Conclusions/Significant Findings/Milestones reached/Deliverables

    • Survey of security based recalls using FDA’s databases spanning varying ranges from 2 to 11 years.

    • Evaluated the impact that the results of the FDA data analysis have on patient and provider perceptions regarding telemedicine security and privacy.

    • Analysis completed and report disseminated to medical device engineers via open-access journal.

    • Recalls and adverse events from federal government databases reveal sharp inconsistencies with databases at individual providers with respect to security and privacy risks.

    • The survey method could be applicable to other risks (such as safety) in medical devices. A follow- up survey of the FDA’s 510k equivalence database allowed a much clearer picture and enabled graph based techniques to analyze the medical device equivalence relationships. A sample of the graph (about 1% of the nodes) is shown below.

  • Materials Available for Other Investigators/interested parties
    Publication available as open access, the code is Open Source:

  • Market entry strategies

    • Outreach to manufacturers, NIST, and FDA to encourage better collection of post-market data on security and privacy risks.
    • Future effort with FDA on a follow-up program and manuscript preparation for submission to JAMIA summer of 2014.

Making the Invisible Visible: Analyzing the 510(k) Device Dependencies
Tingyi Wei, Denis Foo Kune, and Kevin Fu
USENIX Workshop on Health Information Technologies, August 2013