The researchers combed through three databases the U.S. Food and Drug Administration's (FDA) public, searchable database called "Medical and Radiation Emitting Device Recalls," as well as the "Manufacturer and User Facility Device Experience" (MAUDE) database that manufacturer and hospitals and physicians are supposed to use to report "adverse events" of all kinds, and lastly, the FDA Enforcement reports about "safety alerts" and recalls.

"Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers in respect to security and privacy risks," the study says. "Recalls related to software may increase security risks because of unprotected update and correction mechanisms." The co-authors of the study, all medical professionals or academic researchers in computer science, include Daniel Kramer, Matthew Baker, Benjamin Ransford, Andres Molina-Markham, Quinn Stewart, Fu, and Matthew Reynolds.

Their analysis shows software-related updates as a major factor in recalls, though reporting was inconsistent and the security ramifications of a software-related recall were not usually identified.

"We believe the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer," the study points out. "Time pressure, lack of incentives, lack of federal safe harbor policies, and lack of clear actionable guidance further reduce the probability of incident reporting by clinicians and information technology staff."

Fu said he he's been in contact with professionals at clinics and hospitals where individuals are "essentially afraid of reporting issues on paper for liability issues." He notes the U.S. may want to consider looking at the kinds of "safe harbor" laws that have helped other industries, such as aviation, in identifying safety issues.