Last spring, the Washington, D.C.-based eHealth Initiative(www.ehidc.org) hosted a group of health care executives to discuss challenges and potential solutions for securing connected medical devices. The independent nonprofit organization -- of which the AAFP is a member -- is dedicated to transforming health care through the use of technology and innovation.
Fast forward to October -- National Cybersecurity Awareness Month --and the release of a new report that presents key takeaways from that meeting.
The report, Securing Connected Medical Devices, was released jointly by the eHealth Initiative Foundation and Booz Allen Hamilton,(wwwBoozAllen.com) a consulting and analytics firm, and is available for download.(www.ehidc.org)
In an Oct. 28 press release,(www.ehidc.org) eHealth Initiative CEO Jennifer Covich Bordenick highlighted the importance of the topic: "All connected medical devices are vulnerable to cyberattacks. When cybersecurity risks are not mitigated, clinical efficacy and patient safety are negatively impacted, and companies are left financially vulnerable.
"Each step in a device's lifecycle poses a potential threat, and cybersecurity must be addressed throughout the course of a medical device's lifetime," she added.
- A new report released by the eHealthInitiative and Booz Allen Hamilton focuses on how to secure connected medicine devices.
- The report was based on discussions held during a roundtable event attended by health care executives last spring.
- Report authors highlight some of the unique threats to a connected health ecosystem that include the absence of an expiration date on the capacity to do harm, the need for a threat-centric mindset and the lack of a one-size-fits-all solution.
The press release pointed out that as medical devices become connected, their value to physicians and patients increases -- but so does the responsibility to ensure protection against cyberattacks.
Challenges to Overcome
The report's authors defined connected medical devices as tools, networks and services that connect or integrate with other systems. "These innovations face new and diverse threats not previously in existence," they said.
"As soon as a medical device is connected in some way -- either wirelessly or wired, using a persistent connection or one that is transient, either one-directional or bi-directional -- the medical device becomes much easier to disrupt and the potential disruption much more severe," they added.
Although a prospective perpetrator must have close physical access -- generally, within two to three feet -- to exploit an unconnected smart device, the same is not true for connected devices.
"Physical proximity is not required to compromise a connected medical device," wrote the authors. They noted that earlier this year, both the Department of Homeland Security(www.us-cert.gov) and the FDA(www.fda.gov) issued advisories warning of a set of vulnerabilities that had been present in nearly 200 million devices worldwide since 2006. And the potential for exploitation has been real all that time.
Unique threats and risks to a connected health ecosystem include the
- absence of an expiration date on the capacity to do harm, which means that even secure systems "have latent vulnerabilities that go from 'undisclosed' to 'easily exploited' in a matter of days";
- need for a "threat-centric mindset" so that potential threats are constantly assessed through the lifecycle of the device; and
- lack of a one-size-fits-all solution due to the diversity of risks.
"Patients and health care professionals must be able to rely on the confidentiality, integrity and availability of connected medical devices -- and their data," said the authors. However, "No single 'security' approach is sufficient; many complementary solutions are needed," they added.
Moving the Needle
The report's authors summarized some key next steps expressed during that roundtable meeting. For instance, stakeholders agreed that the status quo is not sufficient.
"Securing the connected health ecosystem is a present challenge that has the potential to disrupt the entire industry if not dealt with quickly," the authors wrote.
They also stressed the importance of all players working together to address all threats and risks and of keeping an eye on future developments.
"The solutions required to 'fix' today's vulnerable devices are not the same as those required to 'prevent' future devices from being vulnerable,'" wrote the authors. "The future needs to be designed while still addressing today's needs."
Lastly, the report called for continued and ongoing engagement by all stakeholders.