A GE Healthcare executive offers practical advice on balancing patient safety, security, and usability for connected medical devices, including what to know about security in the cloud environment.
Blame it on the headlines, filled with news about ransomware attacks at hospitals, reports of hacking risks for various medical devices, and stories of hospital networks being breached via medical devices running old versions of operating systems. Perhaps because of increased awareness or a trend toward connected devices, the importance of connected medical device security has hit home for many manufacturers and health systems.
Now, the industry's questions have seemingly shifted from "Do I need to worry about cybersecurity?" to "How can I ensure security while balancing other device requirements?"
Steve Abrahamson, director of product security programs at GE Healthcare, tackled the issues of patient safety, device security, and usability during a session at BIOMEDevice San Jose titled "The Backdoor: Legacy Device Vulnerabilities and Risk." Audience members asked Abrahamson to address how best to balance device security and usability, security in the cloud environment, and factors to consider for point-of-care devices.
Asked about how to ensure a medical device is both secure and usable, Abrahamson first pointed out that patient safety comes before either of those considerations. He noted that a security control like an automatic log off would not make sense for a critical care medical device and that because such prevention measures should not be implemented in order to preserve patient safety, users need to be aware of alternative measures.
"Patient safety risk always trumps security risk or malicious activity risk," Abrahamson said. "If you think a security feature creates a safety risk, don't put it in there."
Usability is the third consideration. Abrahamson noted that there is a trend toward prioritizing security over usability when necessary. Referencing the widespread trend of physicians having less control over hospital device purchases, he said, "it's shifting to where the security have a lot more say in what that hospital system is going to buy or not buy."
While pointing out that the balance between usability and security is determined on a per-customer basis, "the landscape is shifting to where security is getting a little bit more important than usability in some cases--but usability is still very critical," Abrahamson said.
When a device is used at the point of care, its also necessary to remember just how open and public a hospital environment can be. One key point of advice is reducing the protected health information (PHI) that the device gathers. Abrahamson recommended that device manufacturers consider how many identifiers or what pieces of data are being collected and making sure that every piece is actually necessary. In addition, it's important to check that the data flow--which devices or databases are receiving that PHI--is also limited to what's needed.
"You apply principles and minimize risk by minimizing identifiers in unnecessary collection and unnecessary data flows where there's not a specific use case," Abrahamson said. He added, "Just be cognizant of the risks, minimize them where you can, and then apply controls or compensating controls recommended to your customer where you can't mitigate them."
A major component of medical devices becoming more "connected" is knowing how to work in a cloud environment. Abrahamson noted that GE Healthcare is "going big into the cloud," as are many medical product companies. He offered a few bits of advice, including understanding your cloud provider's security practices and remembering that cloud providers are responsible for the security of the cloud environment--not the security of your specific application.
"[Cloud providers] can make sure the walls are solid, but you still own the lock that's on the door," Abrahamson emphasized.
[Image courtesy of DAN/FREEDIGITALPHOTOS.NET]