As the Internet of Things (IoT) movement continues to gain momentum, several industries stand to contribute to and benefit from the trend’s popularity. One such industry is health care; however, as many have recently vocalized, the main concern about IoT is the security aspect, or lack thereof. According to recent PwC research, 47 percent of health care providers have already begun prescribing connected patient products, such as wearable patient monitoring and medical devices, but only 53 percent of them have implemented security controls. Medical and technological advancements come with great power, and with great power comes great responsibility – the responsibility to ensure the safety of patients.
The evolution of technology in the health care industry has sparked skepticism among the key decision makers of compliance regulations, igniting what are now known as HIPAA and HITECH, two acts implemented by the U.S. Department of Health and Human Services to ensure the protection of health care information while also allowing the innovation of new technologies. These efforts have not only expanded the scope of privacy and security defenses, but also increased the potential legal liability for non-compliance. Unfortunately, most scenarios are taken on a case-by-case basis, which has resulted in less rigorous enforcement of the acts upon medical device manufacturers at a time when new information technology is being developed on a daily basis.
To address this new connected reality, the FDA has comprised a set of recommended guidelines manufacturers and health care providers can and should adhere to in order to safeguard both the patients and their data. These guidelines are not yet mandated, and until they are, manufacturers must take it upon themselves to be as proactive as possible. One suggestion by the FDA is to conduct internal audits to identify the vulnerabilities and threats involved and assess the potential impact of these threats and vulnerabilities on both the device and its end user. There are two kinds of security threats: one related to patient data and privacy, and the other related to implanted device security. It’s important to be vigilant and conduct routine internal security audits throughout the development processes of these connected devices to ensure the manufacturer is operating in compliance with the established regulations so nothing falls through the cracks. Moreover, interconnection between device communications and software should be constantly checked against hacker ability to ascertain whether the combination of solutions are safe from unscrupulous parties.
Similarly, manufacturers should implement a mechanism such as a corrective and preventative action (CAPA) system to help proactively identify and shed light onto any problems that may arise, notifying the appropriate stakeholders in a timely manner. Having such a system in place allows organizations to appropriately log and manage quality issues and in turn, guarantee the quality and safety of their devices before they hit store shelves or doctors’ offices.
Another proactive step manufacturers can take is to ensure the safety and quality of such connected medical devices addresses the human error factor involved in any manufacturing process. Organizations may want to consider updating the standard operating procedures employees carry out on a daily basis. Such changes might include adding steps so that employees do not unintentionally connect said devices to an open internet connection, use unscanned thumb drives to update the devices or leave open sessions on the devices, thus allowing viruses or malicious codes into the devices.. The information that lives on these devices, as well as access to these devices, can pose a tremendous threat if hacked. For instance, in 2011, one hacker proved that several wireless insulin pump models were extremely vulnerable to attacks, bringing to light the possibility of a fatal dosage being triggered by an over-the-air attack. Such situations are unlikely, but technically feasible for someone with enough time, motivation and ill will.
The saying “better safe than sorry” rings especially true when it comes to the health care industry and even more so for medical devices. Connect those medical devices to the Internet and the saying becomes more of a rule. Operators should always be on the lookout for warning signs. For example, high data traffic between the device and the hub could be an indicator that the data is being accessed through external sources that are likely not authorized to open the files. Additionally, manufacturers should keep track of processing times to measure performance deprivation that could point toward a denial-of-service virus or malware. Common sense points to lower probability of these kinds of hacking or malware introductions due to the low financial value of such attacks; however, it is possible for unscrupulous parties to engage in these actions that threaten patient safety and jeopardize patient privacy.
Lastly, manufacturers and suppliers should strongly consider implementing a system that provides proactive tasks and corrective actions and manages the scheduling of these events to notify the appropriate people and hold them accountable, such as an enterprise quality management solution or EQMS. Suppliers should be part of this critical system instead of managing their own system separately. These systems can allow an organization to achieve end-to-end traceability and visibility into all stakeholders so that action can be taken in a proactive and timely manner to prevent issues such as device recalls.
Taking a proactive approach can mean more than just avoiding a recall. When a product has the potential to have an extreme impact on the health and safety of consumers, manufacturers should place quality above all else. The fact of the matter is that the Internet was made for sharing information – not with security in mind. When we create these devices, we must keep in mind the vulnerabilities that come with the technological advancements. Until the FDA issues mandated regulations around connected medical devices, it is crucial that manufacturers and health care providers alike take preventive and vigilant action to protect patients. That should be their priority!
