Our HIT crystal ball has been flashing brightly lately, signaling the need for some sort of overhaul for FDA medical device regulations:
- First, a few months back, a source mentioned in an interview that he’s not as concerned about HIPAA compliance with Wi-Fi enabled medical devices that transmit patient data over their networks, because if that device is hacked, it only compromises one person’s data. Data breach reporting laws are triggered when 500 or more patients are affected. Keep in mind, this source wasn’t saying medical device security should be ignored. Right now, his thoughts were, devices should sit lower on the priority list than sealing up more glaring vulnerabilities that currently exist on hospital networks and could affect more people.
- Then, in a SearchHealthIT virtual seminar, Beth Israel Deaconess Medical Center CIO John Halamka outlined how some device controllers in use at his facility are sequestered off the network as a matter of policy, because they’re running primitive operating systems such as Apache 1.0 – because that’s the most recent OS the manufacturer could get approved through the FDA’s expensive and time-consuming 510k process. If they were hooked up to the network or, God forbid, the Internet, they’re so vulnerable to hacks they could turn into the “VirusMaster 3000,” as he put it, propagating malware throughout the network.
- Finally, at the HealthTech Council meeting in Cambridge, MD, “ethical hacker” Ralph Echemendia (you’ll hear more from him in both an upcoming podcast and a story, because he gave some great advice for security-minded health care CIOs to shore up vulnerabilities in their facilities) said that both implanted insulin pumps and pacemakers have been hacked live, onstage, at hacker gatherings. The pacemaker hack was doubly scary – at least to him – because the person who demonstrated it “doubled down” and enabled a self-spreading pacemaker virus that would affect everyone wearing a pacemaker within a certain radius. This, the fairly unflappable Echemendia said, scared even him. Stealing money is one thing he said. You can replace that. But these are physical threats that could be virtually untraceable.
Two problems are clear: First, manufacturers and health care providers (with the exception of Halamka) don’t appear to be taking medical device security seriously enough. Secondly, these devices and their controllers don’t really seem to be considered computers on the network, but standalone devices – technology islands unto themselves. They are not. They are network computers. Just like iPads and smartphones are little, working computer desktops.
In Halamka’s example, they’re simple Linux workstations, which puts it in sort of the same ballpark as a dumbed-down Droid X, no? Yet apparently, they’re still “standalone” in the mindset of the FDA. That’s got to change, because health IT lags behind other industries’ IT already…and medical devices appear to be lagging far behind the rest of health IT.
There is no doubt that the institutional review board (IRB) and cautious clinical trial system protect the general population from greedy souls looking to cash in on patients suffering from one medical condition or another, or well-meaning folks with simply too much faith in their own product design. Either way, the system attempts to prevent rushing half-baked medical devices to market.
That’s good. What’s bad is the process is so conservative and slow-moving, it inhibits manufacturers’ abilities to keep those devices current, because often, little upgrades force manufacturers to start anew with the 510k process, as if they hadn’t gone through the process already with the first iteration of a device.
There’s got to be a change to the process that maintains that level of patient safety while, at the same time allowing updates to operating systems – especially their security components – to keep pace with current technology. For this to happen, the FDA needs to rethink its processes and upgrade its own internal operating system to accommodate the integrated, Wi-Fi and Web enabled world of medical devices…and give manufacturers a way to keep up with security threats with adult supervision of regulators who can ensure graft doesn’t get the best of these commercial innovators.
Because when it comes to devices, this stuff is starting to get scary. Patient privacy, physical health and progress in developing new and better treatments are all being stymied by this present regulatory paradigm. The time has come for a device regulation “2.0” makeover. Don’t make us choose between a pacemaker that can be hacked or no pacemaker at all in our later years.