The 2009 stimulus package earmarked $30B for electronic medical records, which included interconnecting a myriad of communication devices tethered to the hospital networks, with the ability to link to doctor offices using the internet. We hear about malware, denial of service attacks and viruses attacking computer networks everyday, and one of the side effects of the digitization is the risk of computer virus infection of these devices that can render them useless compromising patient safety. GE Healthcare announced last week that they are investing $2B to create a more robust electronic health system that will accommodate smart phone devices. In fact, many device manufacturers including Siemens, Philips, Hologic are currently in development to build those smart devices. Since 2009, VA records showed 327 devices (Source: Wall Street Journal, 06/14/2013, ‘FDA: Medical Devices at Risk from Cyberattacks”) were affected by malware, 40 x-ray machine infections and other mammography detection devices received malware too. These infections prove that security vulnerabilities of the connected devices do pose a threat to patient safety and also exposing sensitive patient information.
So how are the software rules established within these medical devices, and who decides what changes are allowed once system validation is completed with malware updates? FDA’s Dr. Maisel says “manufacturers are permitted to make corrections to strengthen cyber-security”. It is not clear when every time an update to eradicate the malware is complete, is it required or needed to re-run Process Qualification tests?
These attacks are just not limited to large diagnostics, detection, or scanning devices, but possibly they can be trouble for implanted devices too. How? Take the defibrillator or pace maker that can ‘connect’ to a diagnostics server for tune-up or recalibration. If that server was infected, theoretically a malware can be ‘pushed’ into this device and can be controlled to malfunction or over/under stimulate. A device can be made so slow it would be rendered useless; a device can be corrupted to provide wrong diagnosis or send information to an external source for illicit use. This is what happened at Beth Israel Deaconess Medical Center in Boston, where a radiology device became infected when a technician inadvertently connected it the internet, and this machine started to send the X-Ray images to an outside server. These issues caused a wrath of problems, including but not limited to: system failure, patient safety, data integrity, exposed patient information, etc. The risk to an individual patient is low, but it is not zero.
So what can you do to be proactive? Until such time when a very clear and precise regulation related to cyber attacks on connected medical devices is issued by the FDA, operators and healthcare centers can maintain a sense of control by adhering to managing this issue through a well defined business process. This should be handled not just as another security issue, but more of a business management risk which includes patient safety. This needs to be elevated out of IT and into operations. Here are some ways to be proactive:
- Perform routine security audits of the connected devices
- Implement mechanism to follow through when observations or findings are reported, such as CAPA, to notify the appropriate stakeholders and for proper close-out
- Update SOP to include steps so employees do not inadvertently connect the devices to an open internet connection, use unscanned thumb drives to update devices, or leave open sessions on the device, etc. SOP management is done through a sunset schedule to ensure new device procedures are updated.
- Follow through with employee training on these SOPs and have recurrent training tasks
- Use leading indicators to look for trouble. Ex: look for unexpectedly high data traffic between device and the router/hub which might indicate data being pushed or accessed through outside sources; look for processing times to measure performance degradation which could be due to DOS virus or malware.
- Use a system that provides proactive tasks, corrective actions and manages scheduling of these events and notifies the right people to hold them accountable. This system should provide end-to-end traceability and afford visibility to all stakeholders so they can take impactful actions in a timely manner.
Connect with Mohan on Google+.