Tackling Medical Device Security IssuesPatient Safety Risks Need to be Addressed
The Department of Veterans Affairs is a founding member of the Medical Device Innovation, Safety and Security Consortium. The VA has launched its own medical device safety initiative (see: Medical Device Security Raises Concerns).
The security of medical devices is a significant risk management issue because the devices increasingly are linked to networks and exposed to malware, which could impair their functionality and potentially adversely affect patient safety.
We have a national biomedical device network that remains largely unrecognized.
Because so many medical devices, such as heart monitors and infusion pumps, are linked to computer networks, and because so many of those networks are becoming linked to others, "We have a national biomedical device network that remains largely unrecognized," says Dale Nordenberg, M.D., founder of consortium.
"Malware and security risks are evolving very fast," Nordenberg notes. As a result, the industry needs to consider whether the security of devices approved by the Food and Drug Administration needs to be regularly revisited, he argues.
Nordenberg was one of several speakers addressing medical device security at a recent information security conference co-sponsored by the Department of Health and Human Services' Office for Civil Rights and the National Institute of Standards and Technology. OCR and NIST deserve credit for helping call attention to this important issue.
"The risk is growing exponentially with the convergence of medical devices and wireless technologies," says Bakul Patel, policy adviser for The FDA's Center for Devices and Radiological Health. But the FDA has no information directly tying any patient safety cases to security issues for medical devices, Patel says.
Gathering EvidenceThe new consortium hopes to help gather evidence of how medical device security issues are affecting patient safety. Meanwhile, consider this: the Department of Veterans Affairs has tracked 173 medical devices that have been infected with malware since January 2009, says Lynette Sherrill, deputy director of the VA's health information security division. To mitigate the threat, the VA has launched an ambitious medical device security initiative. For example, the department has isolated 50,000 medical devices behind nearly 3,200 virtual local area networks to improve security.
Hacking of medical devices to intentionally cause harm eventually will occur, Nordenberg warns, pointing to one incident when someone hacked a website for epileptics and posted animations intended to trigger migraines and seizures.
That's why more organizations need to join the consortium and help identify best practices for protecting medical devices, before it's too late.