Physicians are used to counseling their patients on the need to take care of themselves and take reasonable precautions to protect themselves from harm. Are you fond of cycling? Remember to wear a helmet to protect yourself from traumatic brain injury! Enjoy a drink at the pub? Remember not to over-indulge, or you risk a wide range of ills: from liver disease to fist fights and automobile accidents. And, if you’re out there hooking up willy-nilly and you fail to take precautions, don’t be surprised when you contact herpes or some other common (and preventable) STD.
There’s ample scientific evidence to back up each of these recommendations. That doesn’t mean, of course, that the risky behaviors don’t continue regardless. It just means that the physicians dispensing the advice know they’re standing on pretty solid ground when they dole it out.
When it comes to the fast-moving world of medical technology and connected healthcare, however, unchecked, promiscuous behavior is (unfortunately) the norm these days. And, unlike that other kind of promiscuity, doctors and hospitals are only just beginning to recognize the problem – let alone figuring out what to do about it.
That was one conclusion of a recent panel discussion that was held on June 12 under the auspices of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board (ISPAB).
Speaking as part of a panel discussion, “Emerging Guidance and Standards Affecting Medical Device Security” earlier this month, Dale Nordenberg, a co-founder and executive director of Medical Device Innovation, Safety & Security Consortium (and a practicing physician) said that the momentum pushing adoption of connected devices in the healthcare field is far outstripping the ability of healthcare providers to safely and securely deploy them. (Panel audio recording available here.)
“These connected care environments are evolving far more rapidly than associated best practices,” Nordenberg said. “It’s far easier to go out and buy something and implement it than to educate and train everyone (to work) in that new environment,” he said.
One problem is that connected health devices are coming on the market at a furious pace – driven by innovation at thousands of large and small device makers.
The investments are driven by hospitals desire to provide better and more efficient care, as well as by financial incentives embedded in legislation like The Affordable Care Act, which has turbo-charged investments in technologies like Electronic Health Records.
But Nordenberg noted that connected health initiatives and EHR are a double-edged sword. “If you’re going to increase the promiscuity, you better increase your security and monitoring and assess your devices and do cyber security exercises,” he said. Alas, very little of that is happening anywhere in the U.S.
Why? There are many reasons. Bakul Patel a Policy Advisor in the Center for Devices and Radiological Health at the FDA noted that medical device makers have deep expertise in writing embedded software that is reliable, but little experience with the kinds of networked applications that have long been common in enterprise environments. “So when they think about adding connectivity, its just out of the box and off-the-shelf stuff,” Patel said. That has led to a lot of unintentional security breaches in recent years.
There’s also a critical shortage of talent that’s hobbling manufacturers and their customers, alike. Patel said that only the top tier of medical device manufacturers – companies like Phillips, GE – sport internal teams to do cyber security assessments on new and established products. The rest – a long tail of smaller manufacturers – do not. In fact: many device makers struggle to accept the notion that hackers would be interested in compromising their connected health device. Period.
On the customer side, expertise is lacking, as well. Ken Hoyme, a Distinguished Scientist at Adventium Labs, said that there’s lots of “denial” in the healthcare sector. “Hospitals deal with the security of their pharmacy or of their newborns,” he noted. “But they’re not dealing with the security of their connected health devices.” (Check out Ken’s presentation here.)
The focus at most hospitals and healthcare networks is, understandably, on compliance with regulations like HIPAA. “There’s just no thought that we might be involved in a targeted attack,” he said.
You can’t entirely blame the healthcare providers. The FDA itself is struggling to find its footing in this Brave New World. Mandating security is good – in theory – but not if it impedes progress, locks in obsolete solutions or interferes with patient care, Patel suggested. “You don’t want someone to have to punch in a 15 digit password when they’re trying to turn on an infusion pump. That would not be useful.”
In other areas, such as mobile apps, the scrutiny given to traditional healthcare devices that have a lifespan measured in decades just can’t scale to accommodate a market that churns out hundreds of new apps a month – most of which never gain broad adoption and die a quiet death on Apple’s iTunes App Store or Google Play.
“The whole mobile app world has its own ecosystem and its user and consumer driven…These apps have a lifecycle of their own.”
What’s the cure? Patel said that the medical device security industry has lots to learn from its bigger, older sibling: the IT security industry, where tools, processes and roles have been honed over the last two decades.
As things stand, however, it is early days in the medical device sector and most of that hard work is still ahead.
You can listen to a podcast of the roundtable conversation here. (Note: the sound quality starts out weak, but improves vastly after the first minute or two – be patient.)