Thursday, September 27, 2012

GAO issues long-awaited report on medical device security


Today, the U.S. Government Accountability Office (GAO) issued a set of recommendations to improve the information security of certain medical devices.

Congressional lawmakers who requested the GAO review issued the following response.  In August 2011, the lawmakers had asked GAO to investigate the topic.

In April 2011, I submitted a document on software issues for the medical device approval process at a Senate hearing on "A delicate balance: FDA and the reform of the medical device approval process."  The document raises questions about how to improve the trustworthiness of medical device software.  A more in-depth survey on trustworthy medical device software was commissioned in 2010-2011 by the Institute of Medicine for a panel investigating the FDA 510(k) clearance process.

Monday, September 24, 2012

Your medical device is secure as long as you don't plug it in. To use it, first plug it in.

Mark Olson, the Chief Information Security Officer (CISO) at the Beth Israel Deaconess Medical Center, offers an interesting analogy to summarize how hospitals feel they are being treated when it comes to security of medical devices they purchase:

"I equate this to buying a high-end automobile - such as a Mercedes Benz - and having it delivered with old-style drum brakes and no power brake system, and the salesman advising, "Keep it under 20 mph and you should be able to stop with no problem." The risks presented by this would simply not be accepted by the customer base; no one would purchase the vehicle, and it would soon no longer be offered."   
-Mark Olson
It's an interesting analogy to ponder as hospitals and manufacturers struggle to reach consensus over (1) what exactly are the problems facing medical device security, and (2) what are the most effective approaches to systematically improve security.  No more wack-a-mole approaches, please.  These security issues are really hard to solve because of both technical and managerial reasons, among others.

The good news is that some manufacturers (especially in the cardiac rhythm management and diabetes management markets) are beginning to integrate security thinking earlier in the medical device manufacturing processes.  I've met some really smart medical device engineers who are excited about improving security and privacy.  Manufacturers playing catch up should take a page from the companies who are succeeding at integration of security processes into manufacturing, but a danger is that it's often hard to distinguish good security from bad.  Beware of snake oil.  We owe it to patients to improve security of connected medical devices.  Security is an important public good!

The full article by Mark Olson appears at Healthcare Info Security.