As device manufacturers try to improve cybersecurity, they need to consider how users might perceive and react to security measures.

T. Grant Leffingwell

Digital medical devices continue to grow in complexity and as such, cybersecurity is becoming increasingly important. Medical device manufacturers are developing sophisticated ways to ensure the digital integrity of their devices as well as the confidentiality of the information they contain or transmit.

With this increased focus on cybersecurity, it is imperative for manufacturers to consider how such security measures impact usability. This is especially important because poor usability in a medical device can result in harm.

It can be challenging to determine how to balance usability needs and cybersecurity concerns. One of the well-known ironies of product development is that the more secure you try to make something, the less secure it actually becomes. This occurs for a number of reasons, chief among them is the desire for users to circumvent anything that interferes with their natural workflows.

This behavior is especially prevalent with medical device users. Clinical users tend to have less patience for excessive security controls than do most others because they view burdensome security as an impediment to rapid, effective health care. Next time you visit a hospital, take note of how often you see security controls circumvented: computers that have passwords taped to their monitors, locked rolling carts with the combination lock number written on the frame, and so forth. It's not that healthcare professionals don't appreciate the value of secure systems--it's just that there is little tolerance for anything that interferes with their primary goal of patient care.

That's why, if you're developing a system that will need security controls, it's absolutely essential to conduct contextual research at the earliest opportunity. For instance, the user-shadowing observations that occur during an ethnographic study can help document those places in the process where security may be circumvented.

Another reminder is to consider "security fatigue." If users experience excessive and unnecessary controls, they quickly tire and become frustrated, leading to evasions and circumventions. How are they to know which controls really matter and which don't? By strategically employing security measures only when necessary, users will be more likely to cooperate with them.

Balancing usability with cybersecurity will continue to be a challenge, but studying your users early and placing their needs at the center of the development process is the best way to maximize your chances of making a system that is both usable and secure.

T. Grant Leffingwell is a principal research scientist and a certified usability analyst at Battelle.

[Image courtesy of DAN/FREEDIGITALPHOTOS.NET]