Medical device security: More questions than answers for healthcare CIOs
Pacemakers that suddenly quit working; medication pumps that push too much or not enough dosage; electronic breaches that let bad guys prowl around undetected in your network so they can pillage confidential patient and financial data — these are the concerns that keep medical personnel, security experts, and the CIO awake. Though general medical digital safety and network security have been concerns for years, the healthcare industry increasingly is being warned of new vulnerabilities, especially the possibility that many medical technology devices – from radiation therapy machines to defibrillators – can be improperly accessed in our increasingly connected world.
While the average hacker may or may not be interested in the raw data from your average pacemaker, the greater concern is that they would have the ability to access this tech remotely and perhaps even take over its operation. This, combined with providers wanting to share electronic medical data with their staff and other specialists to improve patient care and provide faster response times, has created a dangerous combination of poor or non-existent hardware security and password policies. This lack of preparedness produces fears that a hack of one machine may lead intruders to the main network where they can cause real havoc.
Even though these concerns may sound like the stuff of sci-fi/health thrillers, medical professionals are beginning to take them seriously by looking at their own practices and encouraging manufacturers to include stronger protections in new tech and creating patches/fixes for what’s already available.
Missing from many of these discussions are government regulations or oversight, which some say would encourage the industry to take steps to ensure better security. Some envision a structure similar to HIPAA that affects everything from waiting room check-in sheets to how and when providers can discuss patient conditions with other caregivers.
Far from basic recommendations, HIPAA’s firm privacy/confidentiality rules include some serious teeth, including significant fines for both accidental and deliberate violations, plus disciplinary action at the corporate level.
In the case of medical technology security, however, the Food and Drug Administration has only issued lightweight, non-binding recommendations and leaves it up to the marketplace to create and enact security and safety standards.
The FDA’s “post-market management of cyber security” in December 2016 encouraged manufacturers to address cybersecurity throughout a product’s lifecycle, including design, development, production, distribution, deployment, and maintenance. Because more devices are becoming networked, one device has the ability to compromise the entire network.
These recommendations come two years after a FDA pre-market guidance document provided encouragement to shared stakeholders concerned about security. It encouraged manufacturers and medical providers to find ways to identify and protect their assets, but didn’t give any kind of firm road map.
Both documents emphasized proactively addressing security risks in medical devices and encouraged hospitals/healthcare facilities to continually evaluate their networks and machinery and look for vulnerabilities to protect.
The newest document showed that the FDA still wants reports about possible exploits and warned that it could potentially take action if companies deliberately fail to follow safety regulations in designing their medical technology, especially if someone is harmed. The new document also asks to be advised if manufacturers make significant improvements to their current or past technology, especially in items that can pose a risk of health or can’t be fixed within 60 days. The FDA stated it does not need to know about routine updates or patches.
The FDA followed the document up with a cybersecurity fact sheet that provides additional details about recommendations and clarified rumors about what its role should and shouldn’t be in future recommendations. It suggested that the best solution to medical device safety isn’t a top-down order from one government agency, but an informal coalition that includes everyone from individual physicians and patients to manufacturers and developers. The sheet suggested that the Department of Homeland Security have a role, especially if potential hackers could be part of larger criminal or international organizations trying to damage the country.
The FDA concluded that much of the responsibility starts with the hardware and software. The agency is encouraged that improvements are already taking place in their required Quality Safety Regulations.
Industry opinions range from supporting the FDA’s hands-off approach to those wishing the FDA could play a more active role in enforcement.
Focusing on patient health, or at least reducing risks of patient harm due to a compromised device, is a good place to start but does not make devices or networks more secure. It also doesn’t give guidance to questions of liability if a patient is harmed due to a device’s security flaws. If that were to occur, blame would be pointed at every involved party, including medical providers and manufacturers.
Overall, the need for cybersecurity of medical devices will continue to grow. Security tactics and hacker methods are evolving at the same time that networked, smart medical technology use is becoming mainstream. These factors will keep every CIO in the healthcare industry up at night.