Health IT Pulse

Oct 24 2012   12:46PM GMT

Medical devices next frontier for hackers, HIPAA security

Don Fluckinger Profile: Don Fluckinger

Tags:
health IT security
HIPAA
medical devices

Our HIT crystal ball has been flashing brightly lately, signaling the need for some sort of overhaul for FDA medical device regulations:

  • First, a few months back, a source mentioned in an interview that he’s not as concerned about HIPAA compliance with Wi-Fi enabled medical devices that transmit patient data over their networks, because if that device is hacked, it only compromises one person’s data. Data breach reporting laws are triggered when 500 or more patients are affected. Keep in mind, this source wasn’t saying medical device security should be ignored. Right now, his thoughts were, devices should sit lower on the priority list than sealing up more glaring vulnerabilities that currently exist on hospital networks and could affect more people.
  • Then, in a SearchHealthIT virtual seminar, Beth Israel Deaconess Medical Center CIO John Halamka outlined how some device controllers in use at his facility are sequestered off the network as a matter of policy, because they’re running primitive operating systems such as Apache 1.0 – because that’s the most recent OS the manufacturer could get approved through the FDA’s expensive and time-consuming 510k process. If they were hooked up to the network or, God forbid, the Internet, they’re so vulnerable to hacks they could turn into the “VirusMaster 3000,” as he put it, propagating malware throughout the network.
  • Finally, at the HealthTech Council meeting in Cambridge, MD, “ethical hacker” Ralph Echemendia (you’ll hear more from him in both an upcoming podcast and a story, because he gave some great advice for security-minded health care CIOs to shore up vulnerabilities in their facilities) said that both implanted insulin pumps and pacemakers have been hacked live, onstage, at hacker gatherings. The pacemaker hack was doubly scary – at least to him – because the person who demonstrated it “doubled down” and enabled a self-spreading pacemaker virus that would affect everyone wearing a pacemaker within a certain radius. This, the fairly unflappable Echemendia said, scared even him. Stealing money is one thing he said. You can replace that. But these are physical threats that could be virtually untraceable.

Two problems are clear: First, manufacturers and health care providers (with the exception of Halamka) don’t appear to be taking medical device security seriously enough. Secondly, these devices and their controllers don’t really seem to be considered computers on the network, but standalone devices – technology islands unto themselves. They are not. They are network computers. Just like iPads and smartphones are little, working computer desktops.

In Halamka’s example, they’re simple Linux workstations, which puts it in sort of the same ballpark as a dumbed-down Droid X, no? Yet apparently, they’re still “standalone” in the mindset of the FDA. That’s got to change, because health IT lags behind other industries’ IT already…and medical devices appear to be lagging far behind the rest of health IT.

There is no doubt that the institutional review board (IRB) and cautious clinical trial system protect the general population from greedy souls looking to cash in on patients suffering from one medical condition or another, or well-meaning folks with simply too much faith in their own product design. Either way, the system attempts to prevent rushing half-baked medical devices to market.

That’s good. What’s bad is the process is so conservative and slow-moving, it inhibits manufacturers’ abilities to keep those devices current, because often, little upgrades force manufacturers to start anew with the 510k process, as if they hadn’t gone through the process already with the first iteration of a device.

There’s got to be a change to the process that maintains that level of patient safety while, at the same time allowing updates to operating systems – especially their security components – to keep pace with current technology. For this to happen, the FDA needs to rethink its processes and upgrade its own internal operating system to accommodate the integrated, Wi-Fi and Web enabled world of medical devices…and give manufacturers a way to keep up with security threats with adult supervision of regulators who can ensure graft doesn’t get the best of these commercial innovators.

Because when it comes to devices, this stuff is starting to get scary. Patient privacy, physical health  and progress in developing new and better treatments are all being stymied by this present regulatory paradigm. The time has come for a device regulation “2.0” makeover. Don’t make us choose between a pacemaker that can be hacked or no pacemaker at all in our later years.

20  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Don Fluckinger
    Medical devices next frontier for hackers, #HIPAA security http://t.co/KD992dl5
    0 pointsBadges:
    report
  • Don Fluckinger
    Medical devices next frontier for hackers, #HIPAA security http://t.co/KD992dl5
    0 pointsBadges:
    report
  • Ed Burns
    Hackers areafter your medical devices, with implications for #HIPAA http://t.co/bsygoZb8
    0 pointsBadges:
    report
  • Ed Burns
    Hackers areafter your medical devices, with implications for #HIPAA http://t.co/bsygoZb8
    0 pointsBadges:
    report
  • Jenny Laurello
    Medical devices next frontier for hackers, #HIPAA security focus: http://t.co/KArPj6s0 #healthIT #HITsm #medicaldevice
    0 pointsBadges:
    report
  • Jenny Laurello
    Medical devices next frontier for hackers, #HIPAA security focus: http://t.co/KArPj6s0 #healthIT #HITsm #medicaldevice
    0 pointsBadges:
    report
  • Gina Narcisi
    Medical devices next frontier for hackers, #HIPAA security http://t.co/KD992dl5
    0 pointsBadges:
    report
  • Gina Narcisi
    Medical devices next frontier for hackers, #HIPAA security http://t.co/KD992dl5
    0 pointsBadges:
    report
  • RisknCompliance
    Medical devices next frontier for hackers, #HIPAA #security http://t.co/6kvTTgSq
    0 pointsBadges:
    report
  • Don Fluckinger
    #HITsm tweetchat topic? Woeful state of medical device security. Recent things I've heard http://t.co/KD992dl5 quite concerning. #cHealth12
    0 pointsBadges:
    report
  • Don Fluckinger
    #HITsm tweetchat topic? Woeful state of medical device security. Recent things I've heard http://t.co/KD992dl5 quite concerning. #cHealth12
    0 pointsBadges:
    report
  • Robert West PhD
    #HITsm tweetchat topic? Woeful state of medical device security. Recent things I've heard http://t.co/KD992dl5 quite concerning. #cHealth12
    0 pointsBadges:
    report
  • Robert West PhD
    #HITsm tweetchat topic? Woeful state of medical device security. Recent things I've heard http://t.co/KD992dl5 quite concerning. #cHealth12
    0 pointsBadges:
    report
  • TopPatch
    #HITsm tweetchat topic? Woeful state of medical device security. Recent things I've heard http://t.co/KD992dl5 quite concerning. #cHealth12
    0 pointsBadges:
    report
  • Rebecca Fein
    #HITsm tweetchat topic? Woeful state of medical device security. Recent things I've heard http://t.co/KD992dl5 quite concerning. #cHealth12
    0 pointsBadges:
    report
  • Wendy Kovitz
    #HITsm tweetchat topic? Woeful state of medical device security. Recent things I've heard http://t.co/KD992dl5 quite concerning. #cHealth12
    0 pointsBadges:
    report
  • Parham Eftekhari
    Medical devices next frontier for #hackers http://t.co/FE8FUVee #HITECH #HIT #Security #scary
    0 pointsBadges:
    report
  • Parham Eftekhari
    Medical devices next frontier for #hackers http://t.co/FE8FUVee #HITECH #HIT #Security #scary
    0 pointsBadges:
    report
  • dopaminergic13
    Medical devices next frontier for hackers, HIPAA security -http://t.co/ra1bkH0x
    0 pointsBadges:
    report
  • RogerGM
    Don, this is an important subject, especially for those healthcare providers who cut corners and use Skype.  They should be using videoconferencing codecs, either hardware- or software-based, with a minimum of 128-bit encryption.  These usually have the ability to create audit trails and provide breach notification.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: