Encryption and authentication issues, poor programming, and technological bugs are to blame for more than 8,600 potentially fatal flaws in pacemakers.
“Vulnerabilities were associated with outdated libraries used in pacemaker programmer software” and patients were at risk of outside sources tapping into the cloud-based systems and altering device settings.
Excerpt: “A recent report from security firm WhiteScope describes more than 8,600 flaws in pacemaker systems and the third-party libraries that power various components of the devices.”
“WhiteScope analyzed seven different pacemaker programmers from four different manufacturers with a focus on programmers that rely on modern radio frequency. The programmers are used to monitor the function of implantable devices and set therapy parameters.”
“Most of these systems run on a similar architecture including an implanted medical device, a home monitoring system, a pacemaker programmer and a cloud-based infrastructure that relayed data to a physician.”
“Further, these systems stored the unencrypted file data on removable media, which means anyone can pick up a device and figure out how to hack it. The design flaw highlights the need for a complete overhaul of the basic design that manufacturers need to address.”
“In another instance, actual unencrypted data that included Social Security numbers, names, medical data and other patient data of a ‘well-known hospital on the east coast’ was left exposed on a pacemaker programmer. The researchers contacted the ‘appropriate agency’ with their findings.”
“‘The pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date,’ the researchers said.‘ No one vendor really stood out as having a better/worse update story when compared to competitors.’”
“This isn’t the first time medical device security has been under fire. St. Jude and Abbot’s medical devices have been criticized since fall of 2016. ICS-CERT and the U.S. Food and Drug Administration have released warnings about medical devices since 2013.”
Source: Healthcare IT News
WBB Take: Like aviation and similar industries, quality in the medical devices industry is tightly coupled with safety. Lapses in quality can (and often will), result in serious harm, including loss of life.
This tight coupling between quality and safety is particularly true for critical implanted medical devices such as pacemakers. To maintain quality and safety, designers, manufacturers, vendors, physicians, and medical technicians must maintain individual quality that is no lower than the desired final quality, and all of them must be fully aware of how any lapse in quality of their work will cascade across the work of every other party in the chain. Not only is this a case of “the chain is only as strong as the weakest link”, but quality deficits accumulate at every link in the chain.
In Lean Six Sigma, the First Time Yield (FTY) is the calculation of defects generated by each step in a process, and would represent the number of errors the designer, manufacturer, programmer, surgeon, medical technician, etc. made. While each of these stakeholders may be satisfied with their individual defect rate, the patient ultimately experiences the Rolled Throughput Yield (RTY), not the FTY. RTY is calculated by multiplying each FTY in the chain, and will therefore likely have a lower quality rate than the lowest FTY in the chain. Even if every stakeholder in the chain operates at Six Sigma quality, each inherits the defects of the prior stakeholder, and any defect in their work adds to those of the previous stakeholders in the chain.
For this reason, it is critical that quality improvement feedback loops are built into care workflow, and that RTY is monitored to ensure patient safety is not compromised by siloed care.
Cited by Shannen Irwin