What Do The FDA's New Interoperability Guidelines Say About Security?

Interconnected medical machines depend on interoperability: the ability of different machines and technologies to share and use patient information.

October 12, 2017 by Andreas Krebs

You don't want to be a doctor in a hospital where the medical equipment doesn’t work well together – or doesn’t work at all. (And in this scenario, you certainly don't want to be the patient.)

Interconnected medical machines depend on interoperability: the ability of different machines and technologies to share and use patient information.

“Today’s healthcare providers and their patients are relying more than ever on rapid, secure interactions among different medical devices,” writes Bakul Patel, Associate Director for Digital Health in the FDA’s Center for Devices and Radiological Health. “From electrocardiograms to infusion pumps, medical devices must reliably communicate and operate in concert.”

medical-device-interoperability

Roadmap to Interoperability

Universal interoperability seems to be just beyond the healthcare industry's grasp – for now.

“It’s a very fragmented industry,” explains M. Eric Johnson, dean of Vanderbilt University's Owen Graduate School of Management. “Only in the last five years has there been a push to build a more integrated IT backbone with security.”

As part of this recent push towards greater integration, the Food & Drug Administration (FDA) recently issued Recommendations for Interoperable Medical Devices to help FDA staff and manufacturers agree to standards that “promote the development and availability of safe and effective interoperable medical devices.”

The new guidance hopes to address the growing gulf among device manufacturers using widely varying communication standards and security protocols.

Low-Hanging Fruit

Security remains one of interoperability's most persistent bugbears. Any interface for the exchange of data between devices can be a weak point for hackers. And not even rapid growth in the medical device security market can keep up with the increasing instances of cybersecurity breaches in the healthcare field, resulting in identity theft, life-threatening hacks, and ransomware attacks.

The breadth of confidential personal information, kept by healthcare providers on legacy systems with poor cybersecurity controls, represent a tempting target for cybercriminals. A single successful attack on poorly-secured medical IT systems can handily harvest thousands of Social Security numbers, credit card numbers, and birthdates.

A Symantec report found that in 2015, the largest number of data breaches happened in healthcare, making up 39 percent of all breaches that year.

Patient Safety Over Data Security

How will security concerns play out in the rules set by the FDA's interoperability guidelines? Hard to say; the new FDA guidelines have more to say about ensuring safety and maintaining an open, transparent architecture.

Safety is “FDA’s first concern,” explains the FDA's Patel, who worries about the mistakes that can be made with “inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms)… in devices connected to a data exchange system.”

For now, the FDA offers a page where you can report cybersecurity breaches of medical devices; the government agency also holds device manufacturers responsible for “for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.”

The FDA's vision for greater interoperability in the future will certainly lead to medical machines talking to each other better… but it's unclear whether it'll stop hackers listening in on the conversation.