Funding, device longevity impediments to medical device security
Anura S. Fernando, chief innovation architect, medical systems interoperability and security, at UL, agreed that the healthcare industry still has a long way to go to provide even better-than-average security in connected devices. But he said one reason security tends to be uneven because not all facilities are as well-funded as others.
“Many hospitals and healthcare centers have very strong security policies and practices,” he said. “But small, independently run, rural clinics have to deal with the same security issues as large healthcare delivery networks, budgets, access to skilled workforce, and many other factors.”
There is also the reality that change will not happen quickly. Most medical devices are made to operate safely for years, sometimes decades. Consequently, many of those now in use were never intended to be connected to the internet.
That means the provisions of UL 2900-2-1, which call for the elimination of hard-coded passwords, among other things, will take considerable time to become mainstream.
Trowell noted that devices being designed for release this year “were being designed about three to seven years ago. This means that the best-case scenario is that a larger number of the devices arriving next year will have been designed with the suggestions made by UL 2900-2-1 in effect.”
Fernando said things are moving toward better security. The adoption of UL 2900-2-1 “by regulators around the world such as the U.S. FDA, Health Canada, Australian TGA, etc., has started to drive some alignment in the global approach to generating objective, test-based evidence supporting manufacturers security claims.”
The hope, he said, is that this will mean that “innovative new healthcare technologies can reach the patient bedside more quickly.”
No medical device security incidents yet
Meanwhile, in that extended interim, most experts agree that the value to patients of their connected devices far outweighs the risk of it being compromised by a cyber attack. Caccomo said that so far, the FDA “has not received any reports of patient harm directly linked to a medical device cybersecurity incident.”
She acknowledged that this doesn’t mean patients shouldn’t be concerned. She said a day-long meeting this past September titled “Cybersecurity in Medical Devices: Communication that Empowers Patients” included patients, industry representatives, health care providers, independent security researchers, and other stakeholders. She said patients “told us they believe that medical device cybersecurity is a matter of national security, as well as one of patient safety.”
But experts agree patients shouldn’t abandon the use of connected devices out of fear of those threats. “Many of the reported issues are real and they can be dangerous, but only in specific circumstances that are unlikely to occur in real life,” Trowell said. “For example, internal medical devices that are able to talk to external interfaces over wireless have a built-in security constraint,” which is that the human body is mostly water.
“Most wireless communication has access to these devices on wavelengths that are absorbed or reflected by water, which makes the range of effective communication so short that the attacker would have to have direct skin contact or in some cases closer contact to be able to effectively talk to the device,” he said.
Security should be part of critical service delivery
Still, the bottom line is that doctors and others involved in direct care need to understand that security is a crucial component of what Brown called “critical service delivery,” because poor security can undermine it.
“Even those individuals involved in healthcare with a high level of education, like doctors and nurses, are just starting to become aware of the clinical implications of cybersecurity,” Fernando said.
“The healthcare community is taking significant strides forward, but there is still a long way to go, and the road just keeps getting longer, so we need to maintain momentum.”
