AAMI News February 2018

Healthcare Industry Needs Standards, Not ‘Snowflake’ Security Solutions, According to Experts

CybersecurityHealthcare delivery organizations (HDOs) and medical device manufacturers need to be on the same page about the amount and type of cybersecurity information that should be shared, as well as how quickly vulnerabilities should be disclosed and security patches should be released, according to industry leaders who participated in a roundtable discussion published in the fall 2017 issue of Horizons.

“We could do great benefit to this entire industry if we could get the medical device manufacturers and the healthcare providers together and agree about what information needs to be shared about the products,” said Michelle Jump, a principal regulatory affairs specialist at Stryker in Kalamazoo, MI.

Right now, manufacturers are providing bespoke cybersecurity information because each hospital is its own “special snowflake,” according to Rick Hampton, a wireless communications manager at Partners Healthcare System in Boston, MA.

“No one is looking at the systems at the high level. Hospital staff are plugging things into the network and getting them to work as best they can—each in their own way—with little to no overall industry guidance,” Hampton said. “We’re not planning. We’re reacting because there are no effective plans for the complex systems we’re building.”

In other industries, such as aviation, there are large scale integrators whose job is to interconnect specialized technology, said Ken Hoyme, director of product and engineering systems security at Boston Scientific in Maple Grove, MN. But in healthcare, the responsibility for integration falls mostly on the hospital itself.

Because of the “huge diversity of hospital systems that we end up interacting with,” a major challenge is “trying to understand a good common set of requirements of what security models we should be using so that we fit into a decent range of hospital systems seamlessly,” according to Hoyme. “We have to make sure that the standards and consensus are there.”

Jump agreed. “If we could have a clear idea of the specific type of information needed for our customers, we could build that into this process,” she said. “But with security right now, we’re asked for so many different pieces of information by so many different customers that we end up compiling the best information that we can for each hospital.”

A standard in development, IEC 81001-1, Health software and health IT systems safety, effectiveness and security—Foundational principles, concepts and terms, could prove to be useful in establishing this consensus. The standard will address transition points in the life cycle of a device where transfers of responsibility occur and the specific information that needs to be transferred at these junctures, according to Jump.

“The solution to the problems around healthcare security will depend on collaboration, coordination, and planning,” Jump said. “We’re doing the right things in developing standards, getting stakeholders together, and trying to solve this amongst ourselves rather than fighting against each other. That’s a positive note for the future.”

The fall 2017 issue of Horizons is available at  www.aami.org/horizons_cybersecurity.