Comparing Medical Devices on Security New Tool Will Help With Assessments

The Medical Device Innovation, Safety and Security Consortium, is refining a tool that cost-adjusts medical devices based on their security attributes, says Dale Nordenberg, M.D., executive director.

"This delivers a very important message to the market, which is healthcare organizations are willing to pay for security," Nordenberg says in an interview with HealthcareInfoSecurity (transcript below).

"Two years ago when we started, manufacturers were asking the question, "Will healthcare delivery organizations pay for security?" This cost-based tool, which was developed at John Muir Healthcare System, has been deployed and is now being modified by MDISS. The fact that this has been well-received both by healthcare systems and manufacturers supports our market-based approach."

Protecting medical devices against security threats that could have potentially catastrophic safety implications for patients is difficult, Nordenberg acknowledges. That's because devices vary widely, from health apps running on wireless mobile devices used by consumers to wireless implanted devices and bedside diagnostic and therapeutic devices used at hospitals.

"Medical device security is a complex issue, for which the risks to patients and to privacy are not clearly understood," says Nordenberg, founder of the consortium, a public/private partnership that's working on a conceptual framework for security that spans the lifecycle of all types of medical devices.

"It's important to realize that no one entity, no healthcare delivery organization, manufacturer or technology company can mitigate all the risk," he says.

Healthcare providers can take specific steps to reduce some of the risks, from ensuring that their systems have the latest software updates available from manufacturers to improving the training of those who operate the devices, he says.

In the interview, Nordenberg discusses:

  • The risks posed by medical devices;
  • Why he believes malware is more of a threat than hacking;
  • Regulatory developments in 2013 that could begin to address key issues in medical device security.

In addition to his role leading the consortium, Nordenberg, a pediatrician, is CEO of the consulting firm Novasano Health and Science. He formerly was a managing director in the healthcare practice at PricewaterhouseCoopers. And from 2002 through 2007, he held various positions at the Centers for Disease Control and Prevention, including associate director and CIO at the National Center for Infectious Diseases and senior adviser for strategic planning in the CDC's office of the CIO.

The Consortium

MARIANNE MCGEE: Tell us briefly about your organization and your role?

DALE NORDENBERG: Our organization started about two years ago. Our founding organizations include Kaiser Permanente and the VA Healthcare System. We were started because of concerns these organizations had around medical devices, specifically security vulnerabilities that they perceived that these devices had, and the potential adverse impact that an exploited vulnerability might have in terms of patient safety and patient quality of care.

Since that time, we've bee able to recruit over 35 different healthcare organizations, many of the leading healthcare organizations across the country. ... We also made sure that we were reaching down to achieve a broad spectrum of representation. We have county-based healthcare organizations. We've got smaller hospitals or smaller healthcare systems in addition to these large national enterprises.

My role is that of executive director. I see my role primarily being the convening of facilitation of contribution by our expert organizations, which now include the healthcare delivery organizations I've mentioned, but also include government agencies that are actively participating in the consortium, as well as technology companies, including manufacturers. What we've tried to do in the consortium is to create a robust ecosystem of stakeholders that are interested in medical device innovation, safety and security.

Medical Device Risks

MCGEE: Why are medical devices a security risk?

NORDENBERG: Medical devices, like any computing device in today's world, are vulnerable to intrusion, either intentional intrusion such as a hacking event or perhaps a spurious event, such as malware that's being distributed around the Internet. They have become more vulnerable as medical devices have evolved from stand-alone electronic devices to networked computing devices.

As that has evolved over the last several years, what's happened is that each enterprise that's delivering care to patients now has an organically-grown medical device network. When you look across a given geography, you really have a medical device network that exists at the city level or the state level and, ultimately, at a country level. Obviously, it's a network of networks. However, what we really need to understand today is that our whole national healthcare system is sitting on top of a ... national medical device network.

Now, each one of these medical devices, just like anyone's laptop or anyone's administrative computer on a network, is potentially vulnerable to malware or to hacking. What differentiates these devices from your typical computer are two things. One is that a medical device, by definition, is involved in some way with patient care, which makes it a device of significant interest because our public health is dependent on these devices.

Secondly, these devices are regulated by the FDA and, as such, it's not a trivial task for healthcare systems to manage the security-related issues in the same way that they can be managed for non-regulated computing devices. For example, the very routine task of patching an operating system that we all do on a weekly basis for our laptops or other administrative computers cannot be done in as trivial a way or as casual a way for medical devices because they're regulated. There are certain steps that must be considered. It's the same thing for applying anti-malware software. You cannot just go start deploying software to medical devices without contacting a manufacturer and having that manufacturer approve such steps, and that often involves the manufacturer having to install the software or the patch, going through a process of validation, and then potentially going through a process with the FDA. For a given institution that has literally thousands or tens of thousands of medical devices, this becomes a very significant IT administrative task and operational task, and even makes the risk, if you will, more complex.

Which Devices Are Most Vulnerable?

MCGEE: What medical devices do you think are most vulnerable to security issues that could pose safety concerns for patients?

NORDENBERG: This is a difficult question to answer in terms of prioritizing which devices would be either most vulnerable or most important. There are a large number of devices that impact a patient's quality of care, and we can identify certain devices that it would be very obvious that if they malfunctioned the impact on a patient could be catastrophic or increase even mild to moderate risks of morbidity or compromised patient care.

Devices that deliver doses of radiation - that class of device if it were not functioning properly would represent a potentially significant risk to the patient. Devices that infuse therapeutics into a patient's vascular system, into their bloodstream, which would have the ability to have immediate impact on a patient's health status, are another class of device that's of significant interest. For example, an infusion pump that delivers vasoactive drugs, drugs that impact cardiac function, heart function, lung function or other critical organ functions - if these were to malfunction, it's clear that the therapeutic dose would be compromised or would be wrong, and, as a consequence, the patient's health status would be compromised. This could happen very, very suddenly and instantaneously. Other examples of similar classes of devices would be insulin pumps. And there have been not only hacking attempts, but in controlled settings, security experts have successfully hacked into insulin pumps as you're probably aware of. They have also successfully hacked into cardiac defibulators and demonstrated the ability to actually control these at a distance.

When we're looking at which are most vulnerable, that's a complex question. It's sort of like asking: "What's more important, the front wheels of the car or the back wheels of a car?" There are many devices that are very important that could impact a patient's healthcare outcome very immediately as well as devices that are more, if you will, subtle in their impact if they were to malfunction. Diagnostic devices wouldn't immediately cause the same sort of catastrophic impact that a malfunctioning radiation device or a malfunctioning infusion device might deliver, but it can by delivering, if you will, the wrong diagnosis [that] puts into play a long cascade of events that would really compromise patient care.

Then there are other considerations like: Where is the device deployed? Is it deployed in the intensive care unit? Is the device deployed on the floor? How does that impact criticality of the device? This is an interesting conversation. Many people believe that a device that's deployed in the ICU is a more critical device. It's deployed on the floor. But as a physician, when we look at these things, it's not so trivial.

For example, a device that malfunctions on the floor, if it affects the patient it may not be picked up for many hours because the patient may not be on real-time continuous monitoring. But the same patient, if they were in the intensive care unit and a device malfunctioned and the patient was compromised, then, in fact, we may pick up that problem very readily because monitors would pick up a disruption in the patient's health status.

These are complex questions, but we do know that there are constantly 1 billion patient encounters per year in this country. That's an estimate by the Centers for Disease Control. That includes both inpatient and outpatient events. ... And each one of those encounters today probably includes one or more contacts and one or more exposures to a digitally-enabled medical device. What we can see is the exposure to digitally enabled medical devices today is very significant. And that when you consider that the exposure to malware is not only pervasive but also accelerating, this is a much more important issue than hacking. [Hacking] could be catastrophic on a person-to-person level. But malware can target intentionally or it might impact large populations of devices unintentionally; but it works at scale.

As we look at these things, we really have to consider where the device is located, what the device is doing and also whether or not the device can be impacted at scale such as the case in malware.

Assessing Risks

MCGEE: How should healthcare entities be assessing for these sorts of risks and how should they be mitigating them?

NORDENBERG: This, like the other questions, is a complex issue. ... The reason that MDISS was formed was, as we noted, was to bring together the ecosystem. In fact, there are three goals that MDISS has. One is to create this ecosystem of stakeholders and bring them together to help mitigate the risk for medical devices. It does that by helping to scope out and better understand the risk. We believe that the risk of medical device security and its associated risk to the patient and to privacy is still not clearly understood and clearly not quantified.

In addition to building the ecosystem, the second goal is to better quantify the risks epidemiologically.

The third goal of the consortium is to work together to collaborate to figure out how to mitigate that risk. It's important to realize that no one stakeholder, be it the healthcare delivery organization or the manufacturer or technology companies, can mitigate the risk. That's the importance of MDISS.

The other important aspect of MDISS is to really drive this from the perspective of the patient through the healthcare delivery organization and then to pull in the manufacturers and the technology companies. It's a very public health-centric approach.

I give you this background because the answer to this question is that what healthcare systems can and should do is to address these [risks] from a very tactical level within their organization, and many of them are starting to do this. It includes strategies such as isolating the medical devices on a network. It doesn't solve all the problems and, in fact, it creates other challenges, because it puts all the devices behind. In a segregated network, it means it's harder for these devices to participate in connected health, which is one of the prime strategies right now for improving the quality of our healthcare system. It also makes it harder to monitor the devices. It also doesn't ensure that all the devices you put into this isolated network weren't already infected, for example. They're complicated issues, but isolating the medical devices behind a firewall and putting them into segregated networks is one strategy that was deployed with some success initially by the VA and then by other organizations.

Then, there's a host of other activities that are very routine for other IT devices - just ensuring that you've got the most recent updates to the system as they become available from a manufacturer. Another thing that would be very important is to create increased awareness across the institution about these risks, improve training around this and improve the way the operators of the medical devices are getting trained as well.

But beyond the immediate concerns that are occurring on a day-to-day basis inside the hospital, it's important for hospitals to make a contribution to organizations such as MDISS, to make a contribution to the thought-leadership, and to ... industry's approach to medical device security and safety and privacy. What I mean by that is, even if we can figure out how to design a perfect medical device from a security perspective, it takes three to five years to get that into the design cycle. You want to create a new standard? It takes three to five years.

What we're trying to do is work with the healthcare delivery organizations. You can consider this a call to action to any healthcare delivery organization that's listening. Please reach back out to us because we'd love to get their input into what are their requirements and what are the challenges they're experiencing on the front lines with regard to medical devices. Because that contribution from them today helps us coordinate feedback to manufacturers or to the companies that are building the wireless infrastructures and hospitals, or the wired infrastructures and hospitals, or the companies that are struggling with how do you secure a medical device from malware in an effective way, in a way that's more challenging than a regular computing device for the reasons we discussed. Getting that feedback from hospitals is a major contribution that they can make today that will have impact.

We can then translate those issues and translate those requirements. Some of the things that MDISS is engaged in are the creation of tools to help with the procurement of medical devices with security in mind.

Regulatory Issues

MCGEE: What do you think we might see on the regulatory front this year when it comes to medical device security? Are there any regulations that are being worked on that will be important?

NORDENBERG: The regulatory bodies are very engaged on this topic right now, and the reason is multi-factorial. One, they independently have recognized the challenges around medical device security. Two, because of certain high-profile examples of hacking, there has been pressure from various policy groups, including government groups such as the Government Accountability Office, or GAO, which has started to examine security vulnerabilities in wireless medical devices or implantable medical devices. for example.

What people are realizing is that the population of medical devices is very diverse, and that creates complexity. For example, even defining what a medical device is in the wireless world, in the m-Health world, is proving difficult. And as such, the process of creating regulation around that is also complex and difficult. You want to create regulation to safeguard the public's health. At the same time, you want to ensure that regulation does not stifle innovation. That innovation is critical to enabling our nation's response to our healthcare challenges, and we want to support industry and the innovation. But at the same time we have to figure out how to do that in a way and regulate that in a way to promote patient safety.

We get into situations where you have devices that are generally-used devices, hand-held devices that we use for our day-to-day activities, and all of a sudden people ... load it up with software ... [so that the] general-use device now functions in a way that it probably falls into the category of a medical device. All of that is getting sorted out right now.

What we're going to see in the coming 12 months is increased clarity around: How do we define a medical device? How do we define a wireless medical device? What are the critical issues in terms of regulating these devices? All of this is going to be much clearer by the end of 2013. Not only with the role of the FDA, but the FCC is very much involved with this as well, and they in the last 12 months have initiated working groups around this issue, around spectrum and around communications that are critical to mobile health. ... While we can't say definitively what the regulators will come out with, we know that they're working actively on this. There are active policy groups on this. The robust growth of mHealth and its promise to change healthcare is driving a lot of this. I think we'll see some improved clarity, which is going to be a major contribution.

MDISS Initiatives

MCGEE: Are there any new developments or initiatives that you're planning at MDISS that you would like to tell us about?

NORDENBERG: When MDISS took a step back in its first two years as we started to develop the consortium, we've tried to identify how we could have the most significant impact in the shortest period of time. We observed a couple of things which I've already mentioned. One is that regulation is often complex and hard and it's a long process. The development of formal standards also is a process that could take three to five years comfortably. But as an organization with a public health vision and a public health drive - which is to as quickly as possible scope out the risk and mitigate the risk - what we as a group of ecosystem stakeholders that can benefit from the perspectives of the healthcare delivery organizations experiencing the challenges of managing thousands to tens of thousands of digitally enabled connected network devices discovered was that we can help influence the procurement process.

In essence, what we're trying to do in collaboration with all members of the ecosystem - not just the healthcare organizations, but also to take into account the input of manufacturers, infrastructure companies, anti-malware companies and security companies - is to understand how to build a robust set of requirements around security and how to translate those into tool sets that can facilitate the healthcare delivery organization's ability to differentiate devices based on their security attributes.

There are two short ways of saying that. One is, we're trying to achieve public health through procurement. We believe that ultimately what we do will be incorporated into standards in some way and will ultimately influence regulation. But this is really a market-based approach. One of the things that we're doing is developing a tool that cost-adjusts medical devices based on the security attributes. This delivers a very important message to the market, which is healthcare organizations are willing to pay for security. Two years ago when we started, manufacturers were asking the question, "Will healthcare delivery organizations pay for security?" This cost-based tool, which was developed at John Muir Healthcare System, has been deployed and is now being modified by MDISS. The fact that this has been well-received both by healthcare systems and manufacturers supports our market-based approach.

In addition, what we're trying to do is leverage the requirements that we're embedding in this tool to also help contribute to the growing list of requirements around medical device security that have been coming up from some other organizations but which we feel we can help contribute through the robust input of healthcare delivery organizations.




Around the Network