We've seen unprecedented attention to medical-device security after an unorthodox report was recently released by short-selling investment research firm Muddy Waters Capital and MedSec, which alleged security vulnerabilities in St. Jude Medical's pacemakers. An independent research team subsequently raised doubts about some of the clinical claims made by the report. St. Jude Medical, meanwhile, has filed a lawsuit disputing the allegations in the same report.
Cybersecurity risks associated with medical devices must be weighed against the often life-saving benefits of these devices. Hospitals struggle in assessing those risks: They may not know which medical-device assets are exposed to cybersecurity threats or get meaningful responses from vendors, and there is no national testing facility for medical-device security. There are different schools of thought on how to safely and effectively share information regarding medical-device security vulnerabilities. However, we should agree that vulnerability reporting should not be done in a manner that causes people to make decisions based on fear, rather than on clinically relevant data.
A few leading health systems and some security researchers are accustomed to working collaboratively with the U.S. Food and Drug Administration, vendors, and other stakeholders to vet potential security vulnerabilities before announcing possible clinical implications. This vetting may include in vivo clinical trials, independent review or publishing in peer-reviewed venues capable of assessing immediate public health risks. Absent this rigor and coordinated disclosure, investigators may harm the long-term objective of improving patient outcomes.
In the wake of the report, whether or not the allegations in the recent Muddy Waters report are true, a number of questions have arisen: What are appropriate ways to disclose a vulnerability that may have clinical implications? Who should shoulder the cost of cybersecurity assessment among hospitals, vendors, security researchers, government and (hopefully not) patients? Is the healthcare community using the expertise at hand from the FDA, National Institute of Standards and Technology and other standards development organizations such as AAMI that have published a number of draft guidelines and engineering documents to help vendors build security into medical devices?
Investigation of medical-device security should cause no more panic to patients and clinicians than an airplane crash investigation by the National Transportation Safety Board. We urge the entire healthcare community avoid making overnight conclusions from unvetted claims. Instead, focus on protecting medical devices by sharing what you learn and by coordinating with one another on improving the fabric of assurance in healthcare delivery. No one can do this alone. All of us who work in healthcare know that the responsible use of medical devices saves lives. A hastily proposed security measure interrupting clinical workflow could introduce hazards worse than potential clinical risks posed by a security problem.
Hospitals have quickly become highly complex ecosystems of connected medical technology and computers that all carry inherent risks and are exposed to an increasing number of advanced threats. Hospitals typically do not have the right skills or budgets to shoulder the cost of post-market security testing of medical devices—which is known to reach an unsustainable $300,000 per device. Hospitals, government, researchers and device manufacturers must work together to do a better job with cybersecurity because our patients and their healthcare providers deserve it. We await the day when strong partnerships between healthcare delivery and CEOs of medical-device manufacturers will mirror the wisdom of the Bill Gates security memo. In 2002, Gates equipped Microsoft Corp. engineers with the leadership, skills, authority and budgets to combat systemic security problems. The knowledge and technology are available to make dramatic improvements. What is now required is the healthcare community's commitment and fortitude to “just do it.”
Kevin Fu, Ph.D., is CEO of healthcare cybersecurity startup VirtaLabs.com and director of the Archimedes Center for Medical Device Security at the University of Michigan; Dr. John Halamka is chief information officer of Beth Israel Deaconess Medical Center in Boston; Jack Kufahl is chief information security officer at the University of Michigan Health System; and Mary Logan, JD, is president and CEO of AAMI, a not-for-profit organization whose mission is to support the healthcare community in the development, management and use of safe and effective healthcare technology. The authors have no financial relationship with St. Jude Medical, Muddy Waters or MedSec.