Clinical and ICT Cybersecurity Overview and Cases A242-3 Elliot B. Sloane, PhD, CCE - Elected Fellow of ACCE, AIMBE, and HIMSS President and Founder Center for Healthcare Information Research and Policy, USA Disclosure: I have no conflict of interest with the materials provided. Third WHO Global Forum on Medical Devices 1
2
Medical Device and ICT convergence issues emerging from Dr. Nobel s First Law: The Conservation of Trouble! Enhancement of integrated medical and ICT devices to automate data capture and improve patient safety introduces new troubles squeezing out elsewhere: simultaneously expanding complexity of wired/wireless network, storage, and security problems in addition to clinical device safety!. In 2016, over half of US hospitals experienced ransomware attacks! (The other half may not know, AND the problems are being 3 seen in Europe, too )
Other Conservation of Trouble ahead? Mobility has created Where in the World is The Patient?? I can use my new Vonage phone service anywhere on the planet, but Al Gore s Internet 411 services think I am in Florida, even if I am actually in Shanghai! Internet of Things (IoT) EXPLOSION of smart light bulbs, outlets, thermostats in the extended environment of care, all chattering via wireless and wired networks Opportunities? Light bulbs (and virtually any powered object) can serve as wireless access point for adaptive mesh networks, replace wi-fi clutter Sentient Hospital, where some safety monitoring is built into the environmental systems 4
The traditional C.I.A. Cybersecurity Triad is NOT enough for healthcare; Clinical security needs SAFETY assurance! Danger Zone e.g., Inconsistent or incomplete drug interaction libraries, or wrong dosing rules (a la Dennis Quaid s children). Danger Zone e.g., EMR system that cannot notify if a ventilator sensitivity setting is too low, turned off for too long, OR multi-vendor device message mapping is defective. Medical Device/System Safe Zone of Operation Danger Zone e.g., Alarms that cannot reliably get through a wireless network fast enough, or if the network is compromised, reconfigured, etc. April, 2009 5 ebsloane.org
New frontiers create new problems. e.g. Li-Fi wireless communication (From Discovery News) Unlike Wi-Fi, which can potentially broadcast patient information far and wide, Li-Fi signals can be directed at a single user, which in turn helps keep their activity more private. And because it s easy to restrict, it could be used in locations like hospitals or schools. Laboratory tests have found that Li-Fi can transmit information at almost unbelievable speeds, over 200 gigabytes per second. That s fast enough to download 23 DVDs worth of information in the literal blink of an eye. 6
As prices crash, how long before they are easily installed in lobbies, clinics, and hospitals As the price point topples for IoT devices, how will we even know where IoT devices are in a hospital or clinic, or home?? 7
Case examples 1. Medical devices (including radiology, cardiology, lab, and others) in US and Europe have been hacked to attack entire hospital systems! 2. EU is working on projects using wearable pollution sensors and medical devices to detect patient risks and intervent BEFORE emergency, but device and data security is not yet robust. 3. Implanted defibrillators, pacemakers, and insulin pumps have ALL been hacked remotely. 1. SOME users, and communities of users, have hacked their own or their children s pumps to improve individual care! Open source program repositories exist for these jailbroken medical devices! 4. Deutsche Telekom s Internet service for millions of users was shut down by a massive IoT device attack in early 2017! Third WHO Global Forum on Medical Devices 8
Open discussion forum! How are you and your colleagues preparing for these challenges, and what education/training/tools do you need? What computerized inventory and management tool enhancements are needed? How does cybersecurity and privacy fit into the whole picture? What new regulations and standards are needed? Third WHO Global Forum on Medical Devices 9
THANK YOU! Elliot B. Sloane, PhD, CCE Center for Healthcare Information Research and Policy Villanova University & South University ebsloane@gmail.com www.linkedin.com/in/ebsloane Third WHO Global Forum on Medical Devices 10