Mobile phones aren’t the only products to benefit from nifty touch screen displays. A whole range of medical devices now sport them, also – as any trip to your local emergency department (or dentist’s office) will reveal. Unfortunately, many of those devices are just as balky and bug ridden as your average mobile phone -despite the fact that patients’ lives can rely on them.
And this week, there’s more evidence of the lurking epidemic of shoddy, IP enabled medical devices. The medical device maker Hospira issued a voluntary, nationwide recall of its Symbiq brand infusion systems after discovering a software error that caused the touch screen interfaces on the devices to respond incorrectly to user input. The problem could result in “a delayed response and or the screen registering a different value from the value selected by the user,” the company said in a statement.
Symbiq is a drug infusion system that delivers controlled amounts of medications to patients through intravenous, intra-arterial, epidural and other means. It is designed to prevent medical errors by offering pre-defined doses from a drug library. The devices are capable of delivering 16,000 medications across 40 clinical care areas. Symbiq systems are also wi-fi enabled and communicate infusion data back to a separate MedNet management application.
Hospira, of Lake Forest Illinois, began its recall of all Symbiq One Channel and Two Channel Infusers (model numbers 16026 and 16027) on August 29.
In its statement, Hospira said that an internal investigation found that the problems with the pump were software related and affect around 1.5% of Symbiq systems, but that “the software-related root cause of this issue potentially impacts all Symbiq infusion systems currently in the field.” Hospira said that it is in the process of developing design improvements to correct the issue,” which includes “design and development activities.” It advised hospitals and other medical offices that use the pump to test its touch screen and, if problems are encountered, to remove it from service until a patch is available from the company.
Software engineers and security experts have sounded warnings about the vulnerability of IP-enabled medical devices for some time now. A paper prepared jointly by researchers at the Univeristy of California, Berkeley, Carnegie Mellon University and the University of Massachusetts, Amherst in 2011 studied a popular automated external defibrillator (AED) and found serious security holes in both the embedded software ton the device and a commercial software update mechanism used to service it. The researchers concluded that software security is an “afterthought in medical device design.” A subsequent report (PDF) by the FDA’s Office of Science and Engineering Laboratories (OSEL) added to fuel to that argument: finding that software errors were behind a quarter of all medical device recalls in 2011. Finally, security researchers have shown how implantable medical devices such as insulin pumps can be remotely attacked and, potentially, used to deliver lethal doses of medication to their wearers.