Medical Device Security: More Questions Than Answers

Pacemakers that suddenly quit working.

Medication pumps that push too much or not enough dosage.

Electronic breaches that let bad guys prowl around undetected in your network so they can pillage confidential patient and financial data.

These are the concerns that keep medical personnel, security experts, and CIOs awake. Though general medical digital safety and network security have been concerns for years, the healthcare industry increasingly is being warned of new vulnerabilities, especially the possibility that many medical technology devices can be improperly accessed.

While the average hacker may or may not be interested in the raw data from your average pacemaker, the greater concern is that they would have the ability to access this technology remotely and perhaps even take over its operation. This, combined with providers wanting to share electronic data with their staff and other specialists, has created a dangerous combination of poor or non-existent hardware security and password policies. The fear here is that if one machine is hacked, it can lead intruders to the main network where they can cause real havoc.

Even though these concerns may sound like the stuff of sci-fi/health thrillers, medical professionals are beginning to take them seriously by looking at their own practices and encouraging manufacturers to include stronger protections in new technology and create patches or fixes for what’s already available.

Government oversight

Missing from many of these discussions are government regulations or oversight, which some believe would encourage the industry to take steps to ensure better security. Some envision a structure similar to HIPAA that affects everything from waiting room check-in sheets to how and when providers can discuss patient conditions with other caregivers.

Far from basic recommendations, HIPAA’s firm privacy/confidentiality rules include some serious teeth, including significant fines for both accidental and deliberate violations, plus disciplinary action at the corporate level. In the case of medical technology security, however, the FDA has only issued lightweight, non-binding recommendations and leaves it up to the marketplace to create and enact security and safety standards.

In its 2016 “post-market management of cyber security” recommendations, the FDA encouraged manufacturers to address cybersecurity throughout a product’s lifecycle, including design, development, production, distribution, deployment, and maintenance. Because more devices are becoming networked, one device has the ability to compromise the entire network. These recommendations came two years after an FDA pre-market guidance document encouraged manufacturers and medical providers to find ways to identify and protect their assets, but didn’t give any kind of firm road map.

Both documents emphasized proactively addressing security risks in medical devices and encouraged hospitals and other healthcare facilities to continually evaluate their networks and machinery and look for vulnerabilities to protect.

Where does the responsibility start?

The newest document showed that the FDA still wants reports about possible exploits and warned that it could potentially take action if companies deliberately fail to follow safety regulations in designing their medical technology, especially if someone is harmed. The FDA asks to be advised if manufacturers make significant improvements to their current or past technology, especially in items that can pose a risk of health or can’t be fixed within 60 days. It does not need to know about routine updates or patches.

The FDA followed the document up with a cybersecurity fact sheet that provides additional details about recommendations and clarified rumors about what its role should and shouldn’t be in the future. It suggested that the best solution to medical device safety isn’t a top-down order from one government agency, but an informal coalition that includes everyone from individual physicians and patients to manufacturers and developers. The FDA concluded that much of the responsibility starts with the hardware and software, noting that improvements are already taking place in their required Quality Safety Regulations.

Across the industry, opinions range from support for the FDA’s hands-off approach to wishing the FDA could play a more active role in enforcement. A good place to start is by focusing on patient health, or at least reducing risks of patient harm due to a compromised device; however, this does not make devices or networks more secure. It also doesn’t give guidance to questions of liability if a patient is harmed due to a device’s security flaws. If that were to occur, the finger would be pointed at every involved party, including medical providers and manufacturers.

Overall, the need for cybersecurity of medical devices will continue to grow. Security tactics and hacker methods are evolving at the same time that networked, smart medical technology use is becoming mainstream. These factors will continue to keep CIOs up at night.

David Chou is Chief Information and Digital Officer at Children’s Mercy Hospital in Kansas City, Mo. To follow him on Twitter, click here.