Enhancing medical device security requires collaboration
Sociologists call it “the diminishing returns of complexity.” It’s the point where a major innovation (like the wireless IV medication infusion pump) begins to have some drawbacks, like the possibility that these devices can be hacked in a way that can lead to life-threatening complications.
Solving this particular problem involves the complex interaction of government agencies, healthcare providers, device manufacturers, security experts and business organizations, and many of the “solutions” to date have had their own serious drawbacks. For example, some vigilante security consultants aren’t content with just shining a light on a hospital’s security gaps for fear that the organization won’t take appropriate action. A handful of these firms have even gone so far as to partner with “short sellers” in an attempt to drive the allegedly negligent organization’s stock prices lower. That’s an ethical question better left to philosophers: do the ends (protecting patients from infusion pump hackers) justify the means (intentionally trying to undermine a hospital’s stock prices)?
A better solution is to form public-private partnerships that aren’t antagonistic – alliances that can lead to industry-wide standards and best practices. Otherwise, hospitals and manufacturers are likely to implement ad hoc solutions that produce more confusion than clarity.
The year 1492 is famous for Columbus’ first voyage and for the first known attempt at intravenous administration of medicine. But digital technology wasn’t involved until the 1980s, when the first programmable infusion pumps were introduced. However, those were all standalone products that didn’t communicate with other digital devices. Today, the Internet of Things (IoT) is in full swing. Most infusion pumps are now software-driven and network-connected; and that’s true for other types of medical devices as well: digital pacemakers, insulin pumps and even many radiology machines and CT scanning devices.
Although there have been very few attempts to cause bodily harm by hacking these devices, former Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless function because they were concerned that a hacker could send a lethal jolt to his heart.
The FDA’s Role
All medical devices must receive clearance from the Food and Drug Administration (FDA) before going to market. In 2010, the FDA was concerned enough about infusion pump security that it launched the Infusion Pump Improvement Initiative. For the past six years, the FDA’s Laboratory for Software Engineering has conducted extensive research aimed at improving infusion pump software security.
The FDA also periodically reviews the security measures taken by the major manufacturers of infusion pumps. Last year, the FDA issued an alert warning that the Hospira Symbiq infusion system could potentially allow hackers to take control of medication delivery. Hospira has stopped manufacturing that system, and the company created a software patch to minimize the risk to patients as hospitals transition to a different pump. Ironically, researcher Billy Rios discovered the alleged security flaws just weeks before he was hooked up to a Symbiq pump during a hospital stay.
Why Standards Are Needed
Here are some of the major reasons why the healthcare industry needs far-reaching standards and best practices for medical device security:
- IoT devices are easily accessible on the Internet because they have IP addresses just like normal computers.
- According to the Department of Homeland Security, there are more than 300 digital medical devices currently in use that have passwords that can’t be changed.
- A recent Freedonia group study found that about 2.5 million people in the U.S. have implantable medical devices – a number that’s growing at about 7% each year.
NIST Takes The Lead
The National Institute of Standards and Technology (NIST) is a non-regulatory agency within the U.S. Department of Commerce that was founded back in 1901. This highly respected agency has launched the National Cybersecurity Center of Excellence (NCCoE), a group that works with security experts from industry, government and academia to address today’s most pressing cybersecurity problems by providing standards-based solutions.
NCCoE has three primary goals:
- Provide practical cybersecurity solutions. The healthcare field, just like every other business sector, needs practical ways to implement cost-effective, repeatable and scalable cybersecurity solutions.
- Increase the rate of standards adoption. With NCCoE’s help, companies can rapidly adopt commercially available cybersecurity technologies by reducing their total cost of ownership. This approach helps foster the “we’re all in this together” mindset – a much smarter strategy than pitting hospitals and device manufacturers against short sellers.
- Accelerate innovation. Hackers around the globe are constantly looking for creative new ways to evade detection. To keep pace, NCCoE provides a collaborative, state-of-the-art environment for developing new cybersecurity technologies and standards.
Health Leaders Getting Involved
The NCCoE has created Community of Interest (COI) groups in six business sectors: healthcare, retail, financial services, energy, transportation and public safety. These groups bring together industry-specific advisors to share business insights and technical expertise.
There are currently seven technology-specific projects that the COIs are exploring:
- Data integrity
- DNS-based secured email
- Internet of Things (IoT) security
- Mobile device security
- Software asset management
- Attribute-based access control
- Derived PIV credentials
Cooperation, Not Conflict
Last summer, St. Jude Medical was involved in a very public and contentious stand-off with the cybersecurity company MedSec Holdings and the short-selling firm Muddy Waters. The latter company used research from MedSec to allege that St. Jude’s digital pacemakers and defibrillators had cybersecurity flaws. St. Jude share prices quickly plummeted by 10%, and the hospital is now suing Muddy Waters and MedSec in U.S. district court.
This is a costly and counterproductive way to improve patient safety. While these parties battle in court, hackers are working hard to stay one step ahead. So far, they’ve shown much more interest in stealing patients’ Social Security numbers than in sabotaging pacemakers and infusion pumps. But that’s no guarantee that it won’t happen down the road.
It’s important for healthcare C-suite leaders and IT professionals to get involved with NCCoE’s collaborative programs. That’s where the battle against hackers will be won, not in the courtroom.