In 2013, the Department of Homeland Security issued an alert on an emerging threat to healthcare and patient safety. Those of us in healthcare, meanwhile, have known about this issue for more than a decade.
I applaud the DHS and their effort to shine a bright light on a serious issue that does need to be addressed: Medical devices are not secure. They pose a threat to the networks to which they are attached and communicate with, and to the individuals who rely on them – in some cases for critical, life-sustaining purposes.
Did the government really just wake up to this issue? Not really. In 2007 the medical team for then-Vice President Dick Cheney modified his pacemaker, removing its ability to communicate remotely via wireless connection, because they knew it was not secure. Yet seven years later we in healthcare are still dealing with medical devices that are not secure. Television shows like Homeland and, more recently, The Blacklist have demonstrated how easy it is to track someone with a medical device (Homeland took it a step further and assassinated the vice president by hacking his pacemaker). And on top of that we have multiple well-known and some-now-mysteriously-deceased security researchers who have demonstrated how insecure these devices are. In fact, the DHS alert came on the heels of a research project that found 300 devices from 40 different vendors vulnerable.
So what are we doing about all of this scary stuff?
The Food and Drug Administration has issued two guidance documents and a new rule. Bill Maher would be proud. Two deal with what they call pre-market considerations, and the third deals with post-market surveillance. Together, these three documents provide some very useful information and sound guidance to both medical manufacturers and consumers of these devices. Let's also not overlook the DHS alert. It, too, provided some very useful observations and recommendations, but most importantly it finally got someone’s attention.
The first FDA guidance document addressed pre-market submission considerations for medical device manufacturers, including features and controls that they should consider, and hopefully include, in their medical devices. Some examples include access control, audit function, strong passwords, encryption, up-to-date software and OS, and an ability to test and apply patches. All good stuff. The second guidance dealt with radio frequency requirements for medical devices communicating wirelessly – again, things that a manufacturer should consider when designing and producing devices, such as frequency quality, wireless co-existence or resiliency around other wireless devices, security of wireless communications (think encryption), compatibility with other wireless devices and procedures for implementation and maintenance. Again, all great stuff if manufacturers will incorporate it into their products.
Therein lies the issue. This is just guidance, recommendations, not binding to anyone. The FDA did, however, issue the Unique Device Identifier (UDI) Final Rule, which requires every medical device to have a unique identifier printed on its label along with other safety information. This is very important and useful, because the fact that there have been no reported incidents of device failure or corruption has been used far too long as a rationale for not making changes. These identifiers will make it easier for organizations to tie individual device performance to a unique identifier, aiding in the recognition of potential cybersecurity issues. That could be huge in evaluating the performance of these devices and potential risks associated with them.
Taken together, these three guidance documents provide at least a sound baseline for manufacturers and consumers to use when designing, developing and using these medical devices. So far, we have not seen the medical device industry regulate itself and implement these standards. Consumers have been frustrated for years with vendors who refuse to address the security issues that these devices create. At the same time they have been reluctant to use their power by refusing to buy devices that aren't safe. One reason often cited is a lack of alternatives. That really on leaves one other option, albeit unpopular.
The question is, will 2014 mark a turning point in this situation? Will medical device manufacturers embrace the need to build more secure devices, or will the FDA, reluctantly or not, need to issue more new rules?
Mac McMillan is president and CEO of CynergisTek and chairman of the HIMSS Privacy and Security Policy Task Force.
