Advances high risk, medical devices must go through a

Advances in technology have resulted in remarkable medical
devices that can extend our lives, improve the quality of our medical care, and
even save our lives. Yet, there is a documented history of events where the use
of these medical devices has unintentionally caused bodily harm or even death
in some cases. In an analysis of medical device safety completed in 2013 viewed
at, the authors state:
“Malfunctioning medical devices are one of the leading causes of serious injury
and death in the U.S.” (Alemzadeh, Iyer and
Kalbarczyk) No one knows in advance when they might have an injury or illness
that would require medical care. When we do need it, we want to know that we
are getting the best care possible and that it’s safe. It’s frightening to
think that we may be in more danger from technologically advanced medical
devices than we are from our original injury or illness.

Although there are many organizations that oversee the safety
of patient care, the Food and Drug Administration (FDA) is ultimately
responsible for approving and regulating medical devices in the United States. Currently,
the FDA assigns a class based on the intended use, whether it is invasive or
implantable, and the estimated risk to the patient. Class I, low risk, medical
devices are exempt from pre-market notification. Class II, medium risk, devices
are required to clear a review process to determine if the device is equivalent
to another that is already marketed legally. If it is, then a clinical trial is
not required. Class III, high risk, medical devices must go through a formal pre-market
review process (PMA) that requires clinical trials. (Sorenson and Drummond) Class III medical
devices are grouped into 19 categories with over 580 types of devices. These
are the most complex devices; they may be implanted, provide life support, or
present a high potential risk of illness or injury. Partly due to the quantity
of devices it must monitor, “The FDA approval system cannot assure the safety
and effectiveness of increasingly complex medical devices.” (Curfman and Redberg) Some of these high-risk
categories of computerized medical devices include:

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

Diagnostic – MRI, PET scan, CT scan, X-ray’s,

Treatment – pacemakers, insulin infusion pumps,
neural stimulators, radiation therapy

Life support – ventilators, incubators,
heart-lung machines, dialysis machines

Medical monitors – ECG, EEG, blood pressure,
patient vital signs

Lab equipment – analyze blood, urine, genes,
blood gases

The FDA has the power to inspect all medical devices,
request that the manufacturer issues a recall, seize the device if the
manufacturer doesn’t issue a recall, and to request injunctions against
distribution of the device. Typically, their policy is to inspect the medical
devices every two to three years. The policy also mandates that all adverse events
involving death or serious injury to a patient that may have been caused by a
medical device must be reported immediately. Other events (that did not cause
death or serious injury) must be recorded, and a summary should be submitted
annually. (21CFR803) Studies have shown that “fear of punishment, uncertainty
of what should be reported and how event reports will be used, and time
constraints to event recognition and reporting” prevent consistency in
reporting these events. (Polisena, Gagliardi and Urbach) In one report, a
sample of records reviewed by the National Electronic Injury Surveillance
System (NEISS) reported 10,395 adverse events resulting in emergency department
visits from July 1999 through June 2000. Using this report as a baseline, it’s
estimated that there were over 450,000 adverse events nationally during that
one-year period. (Hefflin, Gross and Schroeder)

Like all technology, the hardware and software involved in
operating these systems can be vulnerable, impacting the safety and
effectiveness of the devices. The level of vulnerability increases when the devices
are connected to a hospital network or the Internet. Areas of vulnerability that
are discussed here include:


Design, manufacturing, and testing errors

System malfunction

User errors

Process control errors

People usually trust their doctor and the medical community
implicitly. However, cybersecurity is always a threat; medical systems can be exposed
to hackers, information theft, and malware like any other system. The
introduction of malware could threaten the safety and effectiveness of the
device, thus affecting the health of the patient. Attacks on a system can
originate from infected mobile devices connected to hospital WiFi; causing
incorrect treatment and medication errors, interference in communication between
the system and doctors, or potentially threatening instructions going to
implanted mobile devices. (Hasan, Zawoad and Noor)

It’s surprising to learn that designers and manufacturers of
medical device software allow and accept errors or “bugs” in the coding.  A bug is a coding error in the software that causes
an unexpected result. An unexpected result could be anything from a display glitch
to an output error to a system crash. Most software programs have at least a
million lines of code. (Microsoft programs have an average of 20 to 30 bugs per
1000 lines of code.) At only one bug per 1000 lines of code, a program with 1
million lines of code would have 1000 bugs! Testing to identify and resolve
coding bugs is more important than ever as medical devices continue to become progressively
more complex. Undoubtedly, programmers and code writers have a great deal of
technical knowledge and skill. Yet, in their role of writing software programs
for medical devices, they are virtually guardians of public safety. So, it’s even
more surprising that a license is not required for programmers and coders to
perform their task.

As complex systems and software programs continue to be networked
together, no one can predict how the systems will behave when different codes
connect. System malfunction is a serious concern as the number of networked medical
devices increases. The FDA receives several hundred thousand reports each year
of suspected medical device failures that result in malfunctions, death, or
serious injury. These reports are then used to analyze device performance
looking for possible patient safety issues and to determine benefit versus risk
assessments of the devices. (FDA/Medical Devices)

There are a multitude of user errors that could contribute to
the failure of a medical device. Due to lack of training, fatigue, or
distraction; a user may omit a step in the approved procedures, forget to set
controls and alarms, make minor adjustments to components of the system, enter incorrect
information, fail to notice informational flags, or try to override the system
in some way. In one instance, at least 5 deaths were the direct result of
overdoses of radiation given to cancer patients at the Panama National Oncology
Institute. A physicist attempted to “trick” the computer into reading a five-block
shield as a single shape; even though the approved procedure called out a
maximum of four blocks. As a result, the unfamiliar shape caused a system
glitch that resulted in 28 patients receiving overdoses of radiation. (John McCormick)

Process control includes any activity put in place to ensure
that a process is predictable, stable, and consistently operating at an
expected performance level with an acceptable range of variation. (Business
Dictionary) Manuals, training programs, written processes and guidelines, monitoring
charts, and mandatory tracking of events are all part of the process controls
that govern the use of medical devices. Even when proper procedures are in
place, communicating changes and issues may not happen as it should. Most
organizations and facilities don’t update their written processes and manuals
regularly and instead rely on emails, memos, or word-of-mouth. Nor do
manufacturers consistently send notice of device warnings or updates.

Technology is moving so quickly that quality and safety don’t
seem to be a priority. Medical facilities want the newest, most advanced
equipment and software, and they want it now. Many times, no one can predict
how the system is going to perform until it’s actually in use. Many times, cost
considerations limit facilities spending, so they purchase the system but not
the maintenance agreement. Most software programmers rely on patching to
correct coding problems instead of building quality checks into the program.
Users tend to pay more attention when they are learning how to use a system,
but soon their movements become automatic, perhaps missing warnings and
verification steps. There are so many challenges to perfecting medical devices;
where do we start and what can be done to improve patient safety?

Part of the problem
is assignment of responsibility. The FDA is responsible for pre-market approval
and post-market monitoring. Post-market surveillance includes collecting
adverse event reports and device audits. The FDA works with several data
reporting networks (below) to collect and analyze adverse event information to
evaluate safety, but these are undeniably under-reported. Because of the
diversity of devices, it is impossible to apply the same audit and performance
standards to all devices. Post-market monitoring to conduct quality, meaningful
studies requires time and resources that often aren’t available. Software
companies often include written licensing agreements limiting their liability
in the event of a failure. Users may not be trained properly. Who do you blame
when a patient is harmed? Unfortunately, there are no consequences to anyone
(except patients) when medical devices fail.

Obviously, there is room for improvement on every level.
Government and industry leaders are working toward solutions which include, but
are not limited to: accreditation and/or license requirements, improving quality
control during the development process, and stricter regulations regarding notifications
and reporting. Improving the safety of medical devices needs to be a priority
for all of us.BibliographyAlemzadeh, Homa, et al. “Analysis of
Safety-Critical Computer Failures in Medical Devices.” IEEE Security
& Privacy 11.4 (2013): 14-26. 22 1 2018.
.Curfman, Gregory D. and Rita F. Redberg. “Medical
Devices — Balancing Regulation and Innovation.” The New England
Journal of Medicine 365.11 (2011): 975-977. 22 1 2018.
.Hasan, Ragib, et al. How Secure is the Healthcare
Network from Insider Attacks? An Audit Guideline for Vulnerability Analysis.
2016. 22 1 2018.
.Hefflin, Brockton J., Thomas P. Gross and Thomas J.
Schroeder. “Estimates of medical device–associated adverse events from
emergency departments.” American Journal of Preventive Medicine
27.3 (2004): 246-253. 22 1 2018.
.Polisena, Julie, et al. “Factors that influence
the recognition, reporting and resolution of incidents related to medical devices
and other healthcare technologies: a systematic review.” Systematic
Reviews 4.1 (2015): 37-37. 22 1 2018.
.Sorenson, Corinna and Michael Drummond.
“Improving Medical Device Regulation: The United States and Europe in
Perspective.” Milbank Quarterly 92.1 (2014): 114-150. 23 1 2018.
. Center for Devices and
Radiological Health. “Medical Device Reporting (MDR).” U S Food and Drug Administration Home Page, Center for Devices and Radiological Health,”What Is Process
Control? Definition and Meaning.”,”‘We Did Nothing
Wrong’.” Information Technology Planning, Implementation and IT Solutions for
Business – News & Reviews –,ás, C. “Overexposure
of Radiation Therapy Patients in Panama: Problem Recognition and Follow-up Measures.” Revista Panamericana De Salud Publica = Pan American Journal of Public
Health., U.S. National Library of Medicine, .”Can Software Kill You?”,”CFR – Code of Federal
Regulations Title 21.”,

“The Impact Of
Cybersecurity Vulnerabilities On Mobile Medical App Development.”,