Medical Device Recall and Security Status

Medicine Equipment - Pixabay

Medical device recalls reached record highs in the first three months of 2018 due to software complications that are likely to continue with the spread of high-tech devices. Device recalls increased 126 percent in the first quarter of 2018. At 343 recalls, it was the highest number in a single quarter since 2005, according to a report by Stericycle’s Recall Index, which tracks recall data across several industries.

Software was the biggest driver of medical device recalls in the first quarter, accounting for 23 percent of all recalls. Software issues have been the leading factor in device recalls each quarter since the beginning of 2016.

Bethany Hills, an attorney at Mintz Levin in New York who chairs the firm’s Food and Drug Administration (FDA) practice, says the rapid increase is not totally unexpected. Medical device software is becoming increasingly complex, with analytics that provide a higher level of clinical decision support.

“The more complex the software, the more likely it is that the developers did not account for all variables in the clinical environment, increasing the risk of bugs and errors,” she explained in a FierceHealthcare interview. “This risk increases further if the device manufacturer outsources software development because integration of outside software and the inability to quickly modify the code can lead to additional errors slipping through the cracks.”

All told, more than 208 million devices were recalled in the beginning of the year, more than the total number of recalled devices in all of 2017. There doesn’t appear to be one singular reason for the startling uptick, making it difficult to pinpoint an underlying trend.

Although it’s possible the first three months of 2018 were an anomaly, software challenges aren’t likely to recede. Device manufacturers are building more innovative devices with software that requires frequent updates and patches.

“[Manufacturers] don’t have this figured out yet and it’s going to continue to be a driver,” Mike Good, vice president of marketing and sales operations at Stericycle, told FierceHealthcare.

Medical Device Cybersecurity

At the same time, medical device cybersecurity has emerged as a growing concern among industry leaders and lawmakers. Legacy devices are especially susceptible to attacks. A recent report from analysts at Symantec indicated a hacker group known as Orangeworm has been launching targeted attacks on the healthcare imaging suites where devices run on outdated operating systems.

Although there have been a limited number of cybersecurity recalls, the most notable was a firmware update for Abbott-manufactured cardiac devices. According to Healthcare IT News, Abbott recently released its second and final round of planned cybersecurity updates to its pacemakers, programmers and remote monitoring systems to fix severe cybersecurity flaws in the devices.

The patch will update the battery performance alert. This allows the device to monitor for abnormal battery behavior and automatically vibrate to tell the patient when something is wrong.

The planned updates began last year, and the latest firmware update was approved by the FDA last month. The update applies to about 350,000 of Abbott’s implantable cardioverter defibrillators and implantable cardiac resynchronization therapy defibrillators.

The devices were originally manufactured by St. Jude Medical, which Abbott acquired last year. At that time, St. Jude was under fire for remaining quiet about defibrillator issues that caused rapid battery depletion. The FDA found St. Jude continued to ship these devices despite knowing about the defect.

The flaws, made public in 2016 by Muddy Waters and security firm MedSec, could allow an unauthorized user to access the defibrillators and modify the programming controls. Since acquiring St. Jude, Abbott has been working to patch those vulnerabilities.

The FDA’s recall notice said the firmware update will reduce the risk of patient harm due to premature battery depletion and potential exploitation of the flaws in the devices. The update will effectively complete the necessary patches to prevent unauthorized access.

Hills expects the medical device recall trend to continue, particularly now that the FDA is accepting devices with artificial intelligence and more complex clinical decision support algorithms. While the trend may continue, the FDA is trying to come up with possible solutions. Food and Drug Administration Commissioner Scott Gottlieb, M.D., has asked Congress for funding to create a cybersecurity “go-team” that would be housed in a new Center of Excellence on Digital Health.

Hills points out that reducing the number of devices recalled from the market requires a joint effort by manufacturers and the FDA to minimize risks prior to approval. Doing so is a delicate balance between constantly testing and validating software and the clinical benefits of using the software.

________________________

Ryan Lahti is the managing principal of OrgLeader and author of The Finesse Factor: How to Build Exceptional Leaders in STEM Organizations being published in early 2019. Stay up to date on Ryan’s STEM organization tweets here: @ryanlahti

(Photo: Medicine Equipment, Pixabay)

Facebooktwittergoogle_pluslinkedin