Addressing the security challenges of devices
BOSTON—The three elements of patient data security are confidentiality, integrity and availability, which all must be factored into a program that successfully secures the vulnerabilities of medical devices, according to the speakers at a session of the second annual HIMSS Privacy & Security Forum.
The FDA has always focused on safety and effectiveness, said George Fidas, Jr., product security officer, patient care and clinical informatics, Philips Healthcare. “The FDA has a very good reason to be concerned about cybersecurity.” Fidas said regulatory measures are helpful for less mature organizations. “It gives them a voice. Some don’t have the resources to be directly involved with their vendors. Mature organizations have already been partnering with their vendors without a push from regulations.” Regardless, he said there’s no question that both large and small customers would benefit from a raising of the bar.
Fidas said official guidance eliminates the need for each company to do its own due diligence. “This isn’t new. There’s a natural conflict between safety and effectiveness over intended clinical use and protection against cyber threats. Historically, safety always wins.”
Increasing interconnectivity will lead to more security problems, said Steve Merritt, manager of imaging and clinical systems at Baystate Health in Springfield, Mass. Medical devices are probably going to overtake traditional devices. “We have to manage that and figure out what that risk is. We will have to work as an industry between different sectors to figure out how to effectively do it.” Merritt also pointed out that clinical engineering has traditionally been isolated but that has to change. “We need to have more convergence. Both parties bring a lot to the party and we need to start taking the best practices from each side and having open debates.” It may be that those best practices don’t apply to devices but it is a good risk management exercise.
Vendors have not provided the tools needed to manage outbreaks in devices, said Paul Scheib, information security operations director and chief information security officer at Boston Children's Hospital. When you experience a malware breakout on a medical device, what do you do? Turn off the medical equipment? “The cure can be worse than the disease.” Devices also are hard to isolate, he pointed out, since they feed into other systems.
Regulations for medical devices are “several steps behind” the industry, said Fidas. “Today’s best practices are tomorrow’s regulations.” He said regulations often are the result of “something bad happening first.”
Medical devices pose significant challenges to effective security. For example, most software use antivirus to automatically fix problems but that isn’t possible on a medical device because they are too critical. “We’re feeling out where the next breakthrough in that operational headache is going to be.”
Editor
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.