Medical Device Software Raises Concerns

Many implantable <"">medical devices that turned out to be defective this year appear to have suffered from software problems. According to The Register, about one-quarter of these devices were involved.

The U.S. Food and Drug Administration (FDA) regulates pacemakers, implantable cardioverter defibrillators, and other implantable medical devices (IMDs); however, the source code for device software is considered manufacturer property, said the Software Freedom Law Center. Because of this, doctors and patients are not allowed to review code for defects, which could lead to dangerous conditions, wrote The Register.

“Though the surge in IMD treatment over the past decade has had undeniable health benefits, device failures have also had fatal consequences,” wrote the authors of the report. “Research indicates that as IMD usage grows, the frequency of potentially fatal software glitches, accidental device malfunctions, and the possibility of malicious attacks will grow,” they added.

In the first six months of this year alone, 23 devices were recalled over a “reasonable probability that use of these products will cause serious adverse health consequences or death,” said the report, according to The Register. About six of the defects likely originated from software bugs.

A defibrillator recalled by a Medtronic subsidiary was rife with failure reports over its eight years in existence, with one involving an “unconfirmed adverse patient event,” said the report, according to the Register. The device involved was an external defibrillator used by paramedics and emergency personnel, said the manufacturer. From 1997 to 2003, some 212 deaths were the result of defects in five different defibrillators, said The Register.

Implantable devices—specifically newer devices controlled remotely via radio signals—are more vulnerable to attacks, which can lead to malfunctions or exposure of critical information, said The Register. While ultrasound waves and password tattoos have been suggested as potential fixes, the non-profit software group suggests mandating that device manufacturers make source codes publicly auditable.

“Our intention is to demonstrate that auditable medical device software would mitigate the privacy and security risks in IMDs by reducing the occurrence of source code bugs and the potential for malicious device hacking in the long-term…. Although there is no way to eliminate software vulnerabilities entirely, this paper demonstrates that free and open source medical device software would improve the safety of patients with IMDs, increase the accountability of device manufacturers, and address some of the legal and regulatory constraints of the current regime,” said the report, quoted The Register. The report, “Killed by Code: Software Transparency in Implantable Medical Devices,” can be accessed at:

Of note, earlier this year, we wrote that a well-publicized and damaging Internet virus—Conficker—infiltrated medical technology. Actually, more of a worm, Conficker made its way into critical medical devices. Rodney Joffe, organizer of the Conficker Working Group and senior vice president for Neustar, told Congress that due to governmental regulations, hospital staff was prevented from making needed repairs, said CBS News. Joffe told the House Energy and Commerce Committee that he and another Conficker researcher found no less than 300 medical devices from just one maker that were infected with Conficker.

According to Joffe, the devices, “should have never, ever been connected to the Internet,” quoted CBS News, which explained that the devices involved enable hospital physicians to look at and work with high-intensity scans, such as MRIs and other significant technology connected to local area networks (LANs). Under existing government mandates, the hospitals affected by Conficker are required to wait 90 days before updating their systems to eliminate both the system infections and any “vulnerabilities,” said CBS News. CNET explained that Conficker affected hospitals worldwide.

This entry was posted in Defective Medical Devices. Bookmark the permalink.

© 2005-2019 Parker Waichman LLP ®. All Rights Reserved.