News Article | December 1, 2015
Hospira, a medical device manufacturer with a history of Food and Drug Administration warnings about the security of its drug pumps, has refused to issue a software update containing a security patch for its LifeCare PCA5 Infusion Pump System to security researcher Jeremy Richards. Richards previously found security holes in Hospira's drug pumps, which are designed for the continuous delivery of medication, that could enable a remote attacker to take control of a device and administer a lethal dose. He once described the drug pump as "the least secure IP enabled device I’ve ever touched in my life." Based on his research, the FDA issued a safety alert for Hospira's LifeCare PCA3 and PCA5 Infusion Pump Systems back in May. In July, the FDA also warned hospitals to stop using the Hospira Symbiq Infusion System. Both drug pump systems are intended to enhance patient safety by automating drug delivery. The security patch Richards requested was not related to the May safety alert, but instead fixed a vulnerability Hospira had already inadvertently addressed in 2009 when it removed the affected service. Richards purchased the PCA5, which runs the unpatched pre-2009 software, for less than $100 on eBay earlier this year for research purposes. On September 23, he alerted ICS-CERT [the US government agency that issues cybersecurity advisories] of the vulnerability. ICS-CERT contacted Hospira on Richards's behalf. On October 8, Richards says, he requested a security patch. Frustrated by the slowness of getting a response, on October 13 Richards called Hospira’s technical support line and asked if he could buy the security patch. According to Richards, Hospira quoted him a price of at least $175, “depending on what we need to do with the pump,” and promised him a call back—which, he says, he never received. On November 13, Hospira responded via ICS-CERT rejecting his request for a security patch, saying that because the drug pumps are prescription devices, Hospira will only provide software updates to health care organizations or to security consulting firms that have agreed to the company’s terms and conditions—but not to Richards as an individual, according to the email he provided Motherboard. “For these reasons, we are declining the request to update the pumps that the researcher purchased on eBay,” the company wrote. Richards believes Hospira's decision is based on a desire to avoid bad publicity, not a desire to secure its devices. "They will probably patch hospital pumps," he wrote in a Twitter DM. "And yes, it is because they don't want me finding holes in their patched stuff (in my opinion)." Joshua Corman, founder of I Am The Cavalry, a global grassroots organization focused on issues where computer security intersects public safety and human life, told Motherboard in a phone call that Hospira’s position was understandable but shortsighted. "There's a common misperception that your internal security team and contracted third parties are sufficient to finding and remediating all known security issues,” Corman said. "The understandable position Hospira seems to be taking with this researcher...only enables adversaries to continue to have the advantage,” he added. “Researchers are not their adversaries; adversaries are their adversaries. These Ts & Cs won't stop their true adversaries from getting what they want.” Corman gave the example of Microsoft which, he said, not only employs an internal security team, and pays third-party security consultants, but also runs a bug bounty program that pays up to six figures (in US dollars) for the most severe vulnerabilities. "And in spite of all three categories of willing allies,” Corman said, “they still need to fix one-to-several dozen security issues per month in their products, and they are considered one of the best in the world." As Motherboard has previously reported, cybersecurity of medical devices is 15 to 25 years behind other industries. The healthcare sector is still learning how to implement well-developed cyber hygiene practices. Device manufacturers like Hospira typically provide security patches directly to hospitals and clinics that use their products, said Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures in the FDA's Center for Devices and Radiological Health. “Outside the clinical setting, this is an evolving area and one that the FDA is continuing to work on with stakeholders, including manufacturers and independent security researchers,” she said in a statement. Hospira defended its decision not to issue a security patch. “In the interest of patient safety, it is Hospira's practice to provide pump upgrades or enhancements only for devices purchased and maintained within the protected supply chain and to avoid devices that have been modified with after-market or unregulated features that should not be on the market,” the company said in a statement. Yet, Corman suggested, there is precedent for after-market support to correct safety issues. He gave the example of the automotive industry, where safety recalls are good for the life of the vehicle, including used cars no longer owned by the original purchaser. "The duty of the vendor and their brand is to ensure that everyone gets the latest and greatest measures to ensure their safety,” he said. A coordinated disclosure policy that invites collaboration by third-party researchers would not only make Hospira’s devices more secure, but also make bad publicity far less likely, Corman said. “Most researchers will never expect reward or recognition, because the act of publicizing the vulnerability goes counter to a desire to protect the public.” “There are way more of these vulnerabilities that are found and remediated than you ever hear about in the news,” he said. “That’s good for researchers and good for patients and good for everyone.”
The U.S. Food and Drug Administration this week approved a military gunshot wound dressing for civilian usage that’s capable of controlling severe, life-threatening bleeding. Developed by Revolutionary Medical Technologies, the XSTAT 30 uses a syringe to inject a gunshot wound with small sponges, which subsequently swell and fill the wound within 20 seconds of contacting blood. The sponges work up to four hours and provide hemostatic pressure to the wound. It’s meant for wounds incapable of being treated with a tourniquet, such as the groin or axilla. In April 2014, the FDA approved the device for military usage. At the time, Christy Foreman, of the FDA’s Center for Devices and Radiological Health, said “XSTAT is a novel device that can be rapidly deployed, providing fast-acting hemorrhage control to stabilize a wounded patient for transport.” “This will be an important new treatment option for our nation’s military to treat injured soldiers who may not be in close proximity to a medical facility,” Foreman added. According to the United States Army Institute of Surgical Research, between 30% and 40% of civilian deaths form traumatic injury are due to hemorrhaging. Between 33% and 56% of those deaths occur before the patient even makes it to the hospital. According to the FDA, the newly approved device is available in packages with between one or three syringe applicators, which contain 92 compressed, cellulose sponges. “When a product is developed for use in the battlefield, it is generally intended to work in a worst-case scenario where advanced care might not be immediately available,” said William Maisel, also of the FDA’s Center for Devices and Radiological Health. “It is exciting to see this technology transition to help civilian first responders control some sever, life-threatening bleeding while on a trauma scene.” The device is not indicated for use in certain areas of the chest, abdomen, pelvis or tissue above the collarbone, according to the FDA.
News Article | December 9, 2015
The Food and Drug Administration has approved for civilian use a revolutionary device that can stop bleeding from a gunshot wound in less than a minute. On December 7, the agency gave the green light to deploy the XStat 30 to hospitals. The simple invention is a syringe-like tool that injects tiny sponges into a wound to treat hemorrhaging. Originally developed with troops in Iraq and Afghanistan in mind, the XStat 30 could change the way gunshot victims are treated in the U.S. The device is designed to plug bleeding from bullet and shrapnel injuries to the groin, armpits, and other areas where applying traditional tourniquets could be difficult. "When a product is developed for use in the battlefield, it is generally intended to work in a worst-case scenario where advanced care might not be immediately available," said William Maisel of the FDA’s Center for Devices and Radiological Health. "It is exciting to see this technology transition to help civilian first responders control some severe, life-threatening bleeding while on the trauma scene." The device is the brainchild of a small startup in suburban Portland, Oregon, called RevMedx, which primarily designs products for military personnel and emergency first responders. This past April, RevMedx shipped XStat devices to the military for the first time. Over the long term, these devices and similar ones could reduce gun deaths in the United States. Data from the United States Army Institute of Surgical Research suggests 30% to 40% of civilian traumatic injury deaths are due to blood loss.
Reed T.L.,s Center for Devices and Radiological Health |
Kaufman-Rivi D.,s Center for Devices and Radiological Health
Biomedical Instrumentation and Technology | Year: 2010
The broad array of medical devices and the potential for device failures, malfunctions, and other adverse events associated with each device creates a challenge for public health device surveillance programs. Coding reported events by type of device problem provides one method for identifying a potential signal of a larger device issue. The Food and Drug Administration's (FDA) Center for Devices and Radiological Health (CDRH) Event Problem Codes that are used to report adverse events previously lacked a structured set of controls for code development and maintenance. Over time this led to inconsistent, ambiguous, and duplicative concepts being added to the code set on an ad-hoc basis. Recognizing the limitation of its coding system the FDA set out to update the system to improve its usefulness within FDA and as a basis of a global standard to identify important patient and device outcomes throughout the medical community. Methods: In 2004, FDA and the National Cancer Institute (NCI) signed a Memorandum of Understanding (MOU) whereby NCI agreed to provide terminology development and maintenance services to all FDA Centers. Under this MOU, CDRH's Office of Surveillance and Biometrics (OSB) convened a cross-Center workgroup and collaborated with staff at NCI Enterprise Vocabulary Service (EVS) to streamline the Patient and Device Problem Codes and integrate them into the NCI Thesaurus and Meta-Thesaurus. This initiative included many enhancements to the Event Problem Codes aimed at improving code selection as well as improving adverse event report analysis. Limitations & Recommendations: Staff resources, database concerns, and limited collaboration with external groups in the initial phases of the project are discussed. Conclusions: Adverse events associated with medical device use can be better understood when they are reported using a consistent and well-defined code set. This FDA initiative was an attempt to improve the structure and add control mechanisms to an existing code set, improve analysis tools that will better identify device safety trends, and improve the ability to prevent or mitigate effects of adverse events associated with medical device use.