No single entity, healthcare delivery organization, manufacturer or technology company can mitigate all the risks that security threats pose to healthcare data, according to Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety and Security Consortium. In an interview with HealthcareInfoSecurity, Nordenberg outlined specific steps to reduce some of the risks.
Medical devices are a security risk because they're vulnerable to intrusion, whether intentional or not. Since devices are regulated by the U.S. Food and Drug Administration, easily securing them, Nordenberg said, isn't possible.
"For a given institution that has literally thousands or tens of thousands of medical devices, this becomes a very significant IT administrative task and operational task, and even makes the risk, if you will, more complex," he said.
He added that devices that deliver any sort of doses of radiation are especially vulnerable, as are devices that infuse therapeutics into a patient's vascular system. In controlled settings, security experts have shown the ability to hack into insulin pumps. And researchers from the University of Michigan recently found that sensors made to pick up a heart's rhythm in implanted cardiac defibrillators and pacemakers were vulnerable to tampering.
Developing balanced regulations are tough, as well, according to Nordenberg. "You want to create regulation to safeguard the public's health," he said. "At the same time, you want to ensure that regulation does not stifle innovation."
Last fall, the Government Accountability Office said that the FDA needs to pay more attention to the security risks for electronic medical devices. GAO said that such devices rely too much on self-reporting from device manufacturers.
To learn more:
- read the full interview