The internet of things and its role in U.S. healthcare
We are living in an ever more connected world. In our homes we can remotely manage – by smartphone – a growing list of devices: thermostat; lights; television; refrigerator; and security systems, just to name a few.
The trend of connected devices – otherwise known as the internet of things – is becoming more prevalent in healthcare as well. Many hospitals now leverage wireless infusion pumps and echo cardiograms integrated to electronic healthcare record (EHR) systems, as well as RFID bracelets to track the whereabouts of patients, staff or sensitive equipment.
Hospitals now have connected monitors that alert staff on hospital-provided cell phones, enabling nurses to review deviations in patients’ vitals immediately and remotely. In large and geographically dispersed medical centers, infusion pumps no longer need to be hunted down to change titrations. Instead they link to their EHR and enable physicians to modify dosing while reviewing the patients’ vitals in real time – even if they are thousands of miles away.
Unfortunately, the improvements these connected devices provide also introduce new risks. Connected devices by their very nature offer additional attack surfaces for malicious hackers. Until recently, device manufacturers had defined relatively few standards specific to cyber security, and the process of identifying, reporting and mitigating vulnerabilities in healthcare devices varied by manufacturer.
Federal standards address expanding vulnerabilities
Just as the U.S. healthcare industry has seen increasing focus on the protection of patient health information through the HIPAA Act of 1996 and subsequent HITECH Act of 2009, the internet of things will likely speed additional federal standards to the manufacturing, deployment and support of connected devices for patient care.
On December 28, 2016, the US Food & Drug Administration (FDA) released the guidance for Postmarket Management of Cybersecurity in Medical Devices, which outlines a common approach for manufacturers to assess threat reports and notify impacted users, as well as the appropriate government agencies. The guidance also includes patient safety risk mitigation steps.
In the time since the release of the guidance, FDA proactively continues working with healthcare manufacturers to address patient safety risks. In August 2017, FDA issued a safety communication advising a firmware update for Abbott’s implantable cardiac pacemakers. An identified vulnerability in the wireless devices’ firmware allowed device tampering, affecting more than 465,000 U.S. patients. In April 2018, both FDA and Abbott announced another firmware update.
Beyond standards: healthcare organizations take their own steps to ensure security
While FDA guidelines provide some post-manufacture standardization for medical devices, healthcare organizations must now take steps to manage their own growing device inventory. Dr. Vinay Vaidya, Chief Medical Informatics Officer at Phoenix Children’s, states “We have drills, we have exercises, we have phishing attacks that we launch internally to see and check for vulnerabilities in our system, and we want to keep one step ahead of the criminals, to safeguard the health of our children.”
Information Technology teams are not only tracking vulnerabilities for laptops, tablets and mobile devices, but also this broader category of connected medical devices. By subscribing to services such as US-CERT’s alert announcements and monitoring device manufacturers’ advisories, team members are armed with early knowledge of device vulnerabilities as well as risk-mitigation steps.
Through diligence and community collaboration, organizations can help ensure ongoing security in healthcare through technology and innovation of connected devices.