The Challenges of Medical Technology's Interoperability & Security
Search For Schools
“The vast majority of devices are patchwork quilts that use proprietary software. Manufacturers don’t want to disclose their interface, so they’re not creating application programming interfaces, APIs making interoperability really hard.”
Christopher Gates, Director of Product Security at Velentium
Today’s healthcare industry faces a double dilemma when it comes to technology. As medical data becomes increasingly digitized, medical staff and IT professionals must contend with ensuring interoperability between systems and devices while maintaining their organization’s network security. This task has become even more difficult due to the ever-evolving landscape of medical tech and the uniquely sensitive nature of managing patient information and its potential vulnerability should improper access be granted.
“There is IT cybersecurity, and then there’s OT cybersecurity, information technology versus operational technology,” shares Christopher Gates, director of product security at Velentium, a medical device engineering firm. He explains that IT systems are designed to manage data and information, while OT systems control the physical processes of medical devices. Integrating these two technologies enables medical devices to collect, store, and analyze data, giving healthcare professionals greater insight into patient care.
But not all medical devices talk to each other or to a particular EHR system, making it difficult for healthcare providers to access and analyze patient data leading to gaps in patient care and missed opportunities to improve outcomes. The lack of interoperability is a major challenge in integrating medical devices with electronic health records, and any potential solutions must address IT and OT security issues to ensure patient health records are secure, not only for privacy reasons but also HIPAA requires it.
Unfortunately, as best as manufacturers and software engineers try, keeping health information safe when using medical technology is incredibly complicated: “I want them to stay ignorant of the risks they’re taking if their devices are interoperable today because if they were aware of it, they wouldn’t be using these devices,” says Gates. “At the end of the day, our lives improve with these devices, and they markedly improve patient outcomes, but they come with a huge risk.”
Keep reading to examine challenges in more depth, explore solutions available for organizations looking to manage their resources while keeping patient data secure, and provide actionable steps to address these issues effectively.
Meet the Expert: Christopher Gates
Christopher Gates has over three decades of experience developing and securing medical devices for various industry leaders. Currently, he serves as the director of product security at Velentium, an engineering firm specializing in designing and manufacturing therapeutic and diagnostic medical devices.
He actively collaborates with regulatory and standard bodies such as NTIA, MITRE, Bluetooth SIG, IEEE, U.S. Department of Commerce, and FDA to design and formalize tools, techniques, and processes that facilitate the development of secure medical devices. He holds a BS in computer science from California State University Northridge and has worked as a software engineer, project manager, and cybersecurity architect.
Currently, the primary ways that medical technology interfaces with each other while maintaining security is by using one of many standardized communication protocols and interfaces that enable secure data exchange between medical devices and EHR systems. These protocols are designed to meet industry-specific security and regulatory standards, ensuring that patient data remains confidential and protected against cyber-attacks.
“Generally, what these devices utilize for security is what is called a ‘challenge response.’ There is a shared key, and if it matches between devices, then they can share data,” explains Gates. “Here’s the problem with interoperability. You may have a device sending a challenge response, and that other device it wants to talk to doesn’t know it is being talked to. There are no shared keys. Another option would be to use certificate authority, where a device presents a 509 certificate, which is confirmed with a certificate authority. Still, you have to have something pre-shared between these devices so they can communicate.”
Here is a list of the biggest challenges in the interoperability and security of medical technology.
Because medical devices are often inherently small, the amount of processing power that can be built into them is limited: “Key infrastructure that we use, like certificate authorities and the network of trust relationships, takes a lot of computational and physical power. You may not have those cognitive resources on a small device. There are limits to what you can do,” explains Gates.
In the past few years, there have been significant advancements in the ability of this technology, but running encryption software is an ever-present hurdle to overcome.
Lack Of Standardization
Arguably the biggest challenge in medical tech interoperability is a significant need for more standardization. In fact, the ISO, a non-governmental organization that has created thousands of international standards for numerous industries, lists over 50 different standards for medical devices. “The vast majority of devices are patchwork quilts that use proprietary software. Manufacturers don’t want to disclose their interface, so they’re not creating application programming interfaces, APIs making interoperability really hard,” explains Gates.
But patients want access to the data from their medical devices: “Some software companies have reverse-engineered the wireless connection so users can interface to it. That’s how companies have come about like Tide Pool, which did just that for the diabetics,” says Gates. “Now you can monitor yourself with standard tablets that were never intended to work with your medical equipment because white hat hackers have figured out these interfaces and now use them to help you. But we can’t let those systems be insecure.”
Age of Technology
Medical devices, particularly those that may be implanted into a patient, can last for a very long time. In fact, the oldest pacemaker worked for an incredible 26 years. The age of some of the technology still in use presents significant challenges for interoperability as the software or hardware may become obsolete: “Manufacturers tend to create a device, hold that basic platform for decades, and only do slight upgrades and changes to it. It is not uncommon for me to see processors that are 20 or 30 years old,” says Gates. “Those devices don’t have the code space or the microcontroller to do cryptographic operations. They’re too small and too old and can’t do it.”
What makes interoperability challenging at the end of the day is that all PHI must be protected under HIPAA. Bluetooth is widely used for all kinds of devices to communicate with each other and is used in many medical technology applications as long as there is an added layer of privacy. “What we have to do in medical devices, again, is have a challenge response mechanism between the device and your smartphone. Somehow they have to have a shared key again.”
One way that developers are solving this problem is actually through the use of bar codes: “We are seeing companies use a barcode on devices that you can read with the camera on your smartphone. That can act as a challenge response mechanism, where that barcode now says you have physical possession of this device. Even if you have a bunch of them in the same room with you, you’re not connecting to those. You’re just connecting to the one you have scanned,” says Gates.
“This is important for a physician in an office. If they are talking to a patient with a device in front of him but 20 feet away in the waiting room, there are another ten patients. This ensures they are getting the data from the right device,” he adds.
Keeping data private and secure is not just about protecting people’s sensitive health data but is also about ensuring that the data is accurate. Hackers have targeted hospitals and EHRs in many different ways. “Everybody always thinks a denial of service attack is a complete shutdown. What if I just delay the data? So now the data is stale. For something like a glucose reading, the data would now be minutes old, and pumps deliver medication based on old, out-of-date information. That can actually be very harmful to patients,” says Gates.
Solution: Third-Party Certification
A fairly simple solution that Gates sees to the interoperability and security of medical technology is to require a third-party security certification. Third-party certification is an independent evaluation of a medical technology product to assess its security measures and interoperability against industry-specific standards.
Achieving certification can improve patient safety, reduce cybersecurity risks, and provide a competitive advantage for manufacturers by demonstrating compliance with established standards.
“If these devices are supposed to work together, they would have to work with an independent third party and get credentials to allow them to do that. That would be your security, but also, it would be tested at that time to ensure it works,” says Gates. “The interoperability to be tested as well and verify that even though these two devices were never intended to work together, they can now communicate data in a secure way.”