Today’s hospitals and healthcare facilities have thousands of connected medical devices; that number will only grow in the coming years. Many others have written about why this is a critical problem and, if you were unfamiliar, I would encourage you to watch this great RSA demonstration.
There is no question that the solution to the current state of medical device security starts with a mandate and guidelines from the FDA, as well as a review of the rules currently in place. The solution is highly technical though, so simple guidance and a non-binding commitment from manufacturers to fix glaring security holes like default passwords, wide-open ports, and lack of updates is just the beginning. We must start thinking ahead towards what happens after the low-hanging fruit is picked. How can we shore up the technology that is already out there, build momentum, and then integrate security into the design and ongoing support?
“The line between a device that is on biomedical engineering’s turf versus IT’s turf is getting slimmer every day but the devices cannot be handled like an everyday PC. Nor can we continue to allow them to be managed as they have been for years”
There have been countless articles, interviews, and white papers on why collaboration is the secret sauce to improving the security and safety of our medical devices. However, much of the discussion has focused around external collaboration, that is, collaboration between industry, healthcare providers, and regulators (like the FDA). Where is the conversation about internal collaboration?
For years there has been very little crossover between biomedical engineering and information technology inside a healthcare provider. Yes, biomedical engineers might call up IT when one of their devices needs to be added to the Wi-Fi – but that is the extent of it. Now, these devices are not simply connected to a single internal server or service but, instead, are increasingly interwoven into the fabric of the network to receive updates, synchronize data across multiple systems or interfaces, phone home to the manufacturer for monitoring and remote maintenance, or even connecting directly to a device implanted into a patient.
The line between a device that is on biomed’s turf versus IT’s turf is getting slimmer every day but the devices cannot be handled like an everyday PC. Nor can we continue to allow them to be managed as they have been for years.
As the partnerships between industry and providers are starting to blossom, on the provider side, we must also get our own house in order by developing deep relationships between IT and biomedical engineering. In large part, we have little understanding of their world and they have little understanding of ours, but we have more in common than meets the eye. We must take the effort to learn each other’s worlds and pool our knowledge. This means on-the-job training as well as formalized classes led by experts. The FDA should expand its training and education courses to add courses specially tailored to IT professionals venturing into the field of medical devices.
This change will not happen overnight but we have to start somewhere. Leadership teams within providers must look for opportunities to collaborate with these two disparate teams in any way we can, even if it is something as simple as a monthly team meeting or lunch. Without internal collaboration, we are doomed to failure before we even begin.
Medical device manufacturers can no longer blame FDA regulations for poor security practices. In the industry’s defense though, the rules imposed by the FDA have been overly strict. Regular patches and updates for that infusion pump? Not without recertifying! Complex user authentication? Forget about it. Rapid innovation? Not a chance. Now the security landscape is forcing changes, however. The FDA’s recent Safety Action Plan and Memorandum of Agreement with the US Department of Homeland Security are promising to pave the way for more pragmatic rules, slashing of red tape, and the acceleration of innovation.
While powerful first steps are being made on the road to more secure medical devices, the marketplace must continue to demand more. We cannot grow complacent because first steps have been taken—we have to keep pushing until security is baked into both design and regulation from inception. We must not forget that the security basics are still very much in play. We cannot solve this security problem without focusing on the decidedly “unsexy” parts of security – inventory, patching, and network security. Moreover, we cannot solve this problem without collaborating internally and externally. For providers, focus on collaboration between biomedical, IT, and security teams. For regulators, keep manufacturers accountable for the device’s security and make it easier for them to comply with the standards. For manufacturers, it will take some time to make these devices more secure, but partner with us on the provider side to make it happen.