A spike in reported medical device vulnerabilities may actually be a sign of a coming security renaissance.
Living in a time of rapid technological advancement has its benefits. Developments like the Internet of Things (IoT) have given us greater control over the granular details of our environments, allowing us to not only personalize how we live but also making daily tasks like checking the weather or buying groceries more efficient.
Few markets have better demonstrated the power of technology than the healthcare industry. Yet despite the benefits of medical devices and other smart technology, healthcare providers are still attempting to manage the security risks of rapid innovation. Here’s how hospitals and medical practices can ensure that patients receive the highest quality care — without sacrificing their safety.
Benefits of Smart Devices
There are an estimated 14.2 billion connected devices currently in use, and by 2020, hospitals and healthcare facilities are expected to employ roughly 161 million smart devices. The integration of this technology into the medical field continues to open up more efficient methods of diagnosing, monitoring, and providing care for patients.
One example of this is the capsule endoscopy. Where a typical endoscopy procedure requires inserting a flexible tube with a light and camera to examine a patient’s gastrointestinal tract for signs of disease, a capsule endoscopy involves the patient swallowing a pill-sized camera that then transmits photos to a nearby receiver. Using machine learning to automate the image analysis process allows doctors to more quickly identify and diagnose any potential issues the patient may have. Not only are capsule endoscopies less intrusive for patients, but they can actually help examine parts of the intestines that other forms of endoscopy can’t reach. Newer models of capsule cameras can even perform biopsies or deliver medicine to targeted areas of the GI tract.
Connected technology also creates opportunities to monitor chronic conditions through the use of wearable devices. These devices allow the patient to go about their daily life, while communicating health metrics to a doctor simultaneously. A connected insulin pump, for instance, removes the need for daily finger testing and injections by continually monitoring glucose levels and supplying insulin as needed. Smart or cloud-connected devices like this increase opportunities for remote monitoring, which can reduce the need for costly hospital stays or doctor visits.
In addition to convenience, this technology actually provides more consistent care and updates for patients. However, as more devices join the Internet of Medical Things (IoMT), it becomes vital that proper security protocols are enforced to ensure patients’ safety.
Compliance and Security Gaps
Between December 2016, when the FDA released guidelines for medical device cybersecurity, and August 2018, 18 medical device manufacturers reported 35 security advisories — a nearly 400 percent uptick from the three previous years. While these numbers are likely under-reported, analysts suspect that this recent spike may actually be a sign that medical device manufacturers are paying more attention to security risks and striving to make compliance a central factor as they continue to innovate.
There are a number of unique susceptibilities particular to IoMT devices. Many medical devices do not have the capability to run third-party software, which means they often lack antivirus protections or end-point encryption. Even once identified, vulnerabilities can be difficult to fix — in many cases, the manufacturer of the device is required to give approval before security patches can be installed.
According to a recent report, 70 percent of medical devices will be running on unsupported or legacy versions of Windows by January 2020. This can create difficulties for a healthcare organization’s IT department if they don’t have the resources for troubleshooting older operating systems. Running older operating systems also presents the risk that installing updates or patches could actually make the devices inoperable, which could expose patients’ data to outside forces.
Addressing the Risks
In April of 2018, the FDA released the Medical Device Safety Action Plan for integrating ongoing technological innovation with strong security measures for devices and patients. The five areas outlined in the plan include:
- Establish a robust medical device patient safety net in the United States
- Explore regulatory options to streamline and modernize timely implementation of postmarket mitigations
- Spur innovation towards safer medical devices
- Advance medical device cybersecurity
- Integrate the Center for Devices and Radiological Health’s (CDRH’s) premarket and postmarket offices and activities to advance the use of a Total Product Life Cycle approach to device safety
Collectively, these five points provide an oversight framework for medical devices that seeks to reduce security vulnerabilities while encouraging continued technological innovation. One point the FDA plan suggests is prioritizing robust software education for patients that would allow them to take ownership over the management of their own devices. Another standard the FDA is considering would require that wearable devices be more easily updated or patched.
The medical industry is undergoing a massive shift toward patient-centric care, and the FDA’s plan is straddling an important line between driving new technologies that can make healthcare more efficient and maintaining strict patient safety measures. By putting patients first, marketers and healthcare professionals are giving individuals the tools to have more control over their own care.