Interoperability in healthcare has been discussed for decades and is one the greatest challenges to be overcome in medicine. Not only because technical barriers exist, but because physicians practice medicine and research continue to push the boundaries, creating new terms to be defined and understood. In addition, the rate of this is accelerating (witness the rapidity of the mRNA vaccine efforts compared to historic vaccine development).
Within the past two decades, as science and technology have rapidly evolved, terminology in the fields of genomics, proteomics, nanotechnology, cybersecurity, and machine learning – to name just a few – has been added to our vocabularies.
While investments from the Health Information Technology for Economic and Clinical Health (HITECH) Act established standards within clinical settings, ancillary medical devices and combination products have not kept up. It is still not uncommon for medical and combination devices to operate on older, and sometimes even unsupported, operating systems (Microsoft Windows XP™) because the cost to upgrade is too great.
As regulated products move from one operating system to a more modern operating system, the product upgrades are not as smooth as those we experience on a weekly basis for our laptops. While our laptops have been developed to handle system upgrades and rollbacks to previous versions, medical and combination devices at times require significant code changes to ensure that the clinical features remain functioning but lack the ability to rollback. Upgrades and corrections of issues that require rollbacks can cause weeks-long delays to release corrected products, and, at times, devices using old operating systems are on the market for years in parallel with next generation products on a new operating system as it takes time to move clients to the new platform.
Devices that run on older operating systems are a cybersecurity risk, which ultimately means that they are patient safety risks. Hospitals manage the risks by segmenting their networks and preventing the higher risk products from connecting to the critical infrastructure network. The cost of this segmentation is that data interchange becomes cumbersome, expensive, and slow. The final result is that there is no single master data for any given patient, even within a single-care setting.
The risk to patients is becoming great as smart homes slowly become more popular and when wi-fi and Bluetooth features are a risk in public places. A well-known example of this is when then-Vice President Cheney turned off his pacemaker’s remote monitoring. There have also been numerous reports of hackers riding hotels’ wi-fi and spoofing into guests’ systems.
For all of these reasons, the U.S. Department of Homeland Security created the DHS’ National Cybersecurity and Communications Integration Center.
While the FDA will serve as the technical and clinical expert regarding medical devices, DHS will serve as the central medical device vulnerability coordination center. If you have a cybersecurity expert in your organization, most likely they already have their finger on the pulse of the coordinating center’s activities.
However, leaving all of the cybersecurity responsibility to the cyber team is as effective as treating product quality as the sole responsibility of the Quality team. The other challenge comes from cybersecurity being such a prominent issue for all connected devices. As a result, skilled practitioners in this area are in high demand for a number of industries and, consequently, are difficult to hire.
DHS is asking organizations to evolve their cybersecurity resilience by adopting best practices across the disciplines of security management, business continuity management, and information technology operations management. Assessing a domain via a Cyber Resilience Review (CRR) will provide an organization with an understanding of its Maturity Indicator Level (MIL).
These areas are nothing new to medical devices and combination devices as the domains are part of Quality Management Systems, and the FDA includes cybersecurity as a subset of these activities. However, DHS’ efforts are broader than just those at the product level. DHS’ efforts, as well as the FDA Quality Initiatives mentioned in Wednesday’s webinar “FDA Incentivizing Organizational Maturity to Drive Product Quality,” expand across organizations to achieve quality and excellence in asset management, controls management, configuration and change management, vulnerability management, incident management, service continuity management, risk management, external dependencies management, training and awareness, and situational awareness.
Lachman Consultants can help you to conduct a CRR self-assessment so you, as an organizational leader, know where you stand regarding cyber resiliency. Utilizing both cyber self-assessment results and an overall organizational data governance maturity review, as discussed on Wednesday, as well as the maturity software development lifecycle infrastructure, Lachman can implement corrections to improve organizational maturity for cybersecurity resilience, software development, and organizational data governance to drive continuous process improvement and organizational excellence in alignment with regulatory quality metrics.