In a pre-conference session on medical device and security, called "Medical Device Security Risks and Challenges: A Multidisciplinary Approach," held on Sunday, Dale Nordenburg, M.D., executive director of the Medical Device Innovation, Security and Safety Consortium, framed the issue as a public health issue.
In his view, all of the stakeholders in the medical device community have to come together to work collaboratively on leveraging medical device security and safety for good public health practice. Increasingly, every patient encounter involves a medical device that is digitally enabled and likely networked, he added, and. medical devices that don’t operate according to specifications may have very significant health consequences.
Theresa Cullen, M.D., is CMIO and director, Health Informatics Office of Informatics and Analytics, Veterans Health Administration, Department of Veterans Affairs in Washington, D.C.; before that, she was CIO for Indian Health Service. She said the health community needs to protect itself, its patients and its networks.
As the largest integrated health network in America, the VA system has 53,000 active clinicians and 650,000 discrete medical devices, of which 10 percent are on its network. Eventually all of those devices are going to be on the network, she said.
She said questions about patient safety are critical. Within the VA, there is a patient safety group and there is a security group, and sometimes they meet and sometimes they don’t, but patient safety should be a consideration from the beginning as applications get developed. She noted that medical devices are no longer standalone; whatever one person does with a medical device affects somebody else on the network. As a federal system, the VA’s risk/benefit ratio differs from the private space. “It’s a lot more difficult for us to take risks,” she said.
The security and safety issues around medical devices are about risk and mitigation, and who is responsible for that, she said. There may be things a health delivery organization to mitigate risk and some things it can’t, where the manufacturer or another stakeholder has to be responsible, she said. That’s why the transparency of the collaboration becomes so important. Healthcare delivery organizations can mitigating risk, but not get rid of the risk that is inherent in the device itself.
She said that medical devices differ from IT services, and this is a problem at the VA in the sense that security through IT, as it does in many health delivery systems, security is within the IT department. She said that this is is not about security; it’s about health delivery in a secure fashion. “The question changes; if the first question I ask is how do I make it secure, you end up with in a different place than how do I make my healthcare delivery system in a secure manner,” she said.
“For me, as a physician, the most important thing is the delivery of healthcare,” she said. “The good news is that there are people who look at this from security, and device security, and together, if we collaborate, we will come to a safe place.”
The VA does privacy and security training, and takes it seriously, she said. It uses it to make sure that people understand about biomedical equipment, what’s on the network and what’s not on the network.
She added: There is a belief from VA perspective that cyber security of medical devices in the continuum of care is necessary to improve the health status of the veterans it serves. By working together with industry, we belief we can leapfrog that. “From a healthcare physician’s perspective, we need the industry to leapfrog. There are a lot of the older devices that are out there, and they are out there because there is noting to replace them,” she said.
Michael McNeil is the global product security and services officer of Philips Healthcare, who offered the manufacturer’s perspective. He said if security is not built into the products and in their development life cycle, or if it’s treated as an afterthought, there are going to be problems. Security needs to be part of the design process along with appropriate vulnerability testing, he said. Manufacturers need to have an ongoing risk assessment to determine appropriate controls.
He notes that there are a lot of legacy devices, and understanding the risk assessment profile and what potentially needs to happen to work with those devices is a challenge that manufacturers have to take on. He added that different types of healthcare delivery organizations have different sets of challenges for manufacturers.
He added that when there are threats reported, appropriate action needs to be taken. Collaboration is a key message going forward, among the regulatory bodies and industry partners, he said.