Two Worrisome Studies Highlight Patient Safety​

As a budding clinician, I think a great deal about patient safety. Patients may assume that the health systems that provide care — and the devices used for that care — are sure to protect them. But two recent studies highlight weak points that have implications for patient privacy and safety. 

Ransomware attacks on the rise 

In JAMA Health Forum, Hannah Neprash and colleagues presented what they describe as the first ever census of ransomware attacks on health organizations. This kind of cyberattack uses software to lock users out of electronic systems until they pay a ransom — often in the millions of dollars. 

The study was inspired by a Tradeoffs episode, and it paints a troubling picture. The researchers found that from 2016 to 2021, the annual number of ransomware attacks on health care organizations more than doubled, exposing the personal health information of nearly 42 million patients. The researchers also found: 

• 44% of attacks disrupted care delivery.
• 36% of care disruptions lasted at least one week.
• 20% of attacks were not reported to the Department of Health and Human Services, suggesting more attacks occurred than could be documented. 

There are worrisome implications. Not only do ransomware attacks jeopardize patient privacy, but they can also disrupt electronic systems critical in health care: medication orders, provider alerts, and ambulance routes — potentially threatening patient safety and outcomes.  

Unsafe medical devices used as models 

Medical devices play an integral role in nearly every aspect of modern medicine, from pumps delivering chemotherapy to ventilators helping COVID patients breathe. A January paper from Kushal Kadakia and colleagues flagged an alarming flaw in the most common regulatory pathway for approving those devices.

The 510(k) pathway, as it’s called, has been used by the FDA to approve 99% of devices since 1976. Under 510(k), manufacturers of medical devices can avoid submitting clinical trial data for their device if they can demonstrate “substantial equivalence” to a previously approved device called a predicate.

The kicker is that the FDA allows manufacturers to base their 510(k) approval on a predicate even if that predicate has been voluntarily recalled for likely causing serious harm or death (known as a Class I recall). In other words, one flawed device could have a ripple effect, propagating further harm through future generations of devices. 

And the researchers found that is happening. Among 156 510(k)–authorized devices involved in Class I recalls from 2017 through 2021:

• Nearly 50% used predicates that had previously been recalled.
• Devices approved using a recalled predicate were six times more likely to also be recalled.

Prior reports have raised concerns about this flaw in the 510(k) pathway, but this recent paper quantifies the magnitude of the problem. The full scope of harm caused to patients is still unknown.