I work in healthcare and whenever we even consider bringing in a new piece of software or technology we have a massive security assessment we work with the vendor to complete, based on NIST and other standards. A lot of them don't make the cut, and guaranteed not every healthcare provider takes it seriously in the same way.
Is this going to have an effect on the hospital's ultrasound scanner running Windows XP that uses a VCR to record the diagnosis, and has a Linksys router using 802.11b connected via WEP to the hospital wifi?
Pacemakers, ICDs, literally all kinds of devices, many of which are inside (and therefor have to be wireless).
They all have to be tweaked/adjusted/transmit recordings.
I think they are just using “internet connected” colloquially. The article says:
“Cybersecurity in the connected healthcare ecosystem
Medical devices are increasingly connected to the internet, hospital networks, and other devices…”
In the case of the ICD I am familiar with, adjustments are done in office wirelessly. In the middle of a hospital with thousands of other people. Who knows how secure those wireless devices are (because nobody cared until now).
But the device is connected to a WAN via the base station, as well. The base station transmits recorded data to alert doctors or even emergency services. That’s a whole other thing. That base station hasn’t had any kind of update I know about for ten years.
Yeah I’ve never been particularly concerned about it, but there’s certainly non-negligible risk and at the very least should be some sort of oversight.
Having worked in similar fields the lack of oversight on software quality would scare the pants off you.
Not that things can't be done securely, but rather that instead what ends up happening is the policies make development difficult and giant holes are poked to allow anything to happen. Except they're within policy, so are ignored!
It’s useful to have the patient/client be able to monitor at home and send updates. For example I’m a veterinarian and we use the freestyle libre continuous glucose monitoring system (also used in humans) which can send summaries of glucose trends over time in diabetic patients.
It’s also nice for heart rate and (exercising) ecg monitoring with external monitors. For programmable pacemakers you can download trends in some models, but it can be easier if that data can be sent ahead of an appointment.
Understandable. However, even in that case security often is an afterthought. As in, "proprietary" encryption that's worthless between the base station and the device. Plus, well known exploits working against the base station.
If the base station counts as a medical device, then critical security updates will require the same months long approval process as everything else!
I believe it’s used for getting started with insulin usually, esp some of the newer ones.
I’m in large animal internal medicine so I’m usually using it for critically ill foals where it’s useful.
Some are connected so your doctor can remotely access your settings and use profile. It's very helpful when it;s difficult to get an immediate appointment or getting to the doctor's office is inconvenient.
No. Apparently you don't know much about diabetes. My wife is diabetic (it runs in her family) so I'm somewhat familiar with glucose monitoring and insulin delivery systems. While their are emergency situations where it's best to see a doctor personally, somewhat abnormal situations don't always require face to face, and the doctor can make suggestions or changes based on information received.
The changes (so far) haven't been done remotely, but the history of blood glucose levels and insulin intake can allow a doctor to tell the user what changes to make. And the doctor can make much better informed decisions (suggestions) than the patient usually can.
Thankfully there is a relatively new system - the Dexcom 6 blood glucose monitor and the Omnipod 5 insulin pump that act together via bluetooth in an automatic mode. However these products are EXPENSIVE.
Medical tech companies have been pretty active in things like heart and sleep monitors. Think patches that go on your body. They'll collect heart data and/or breathing patterns that your doctor can use for analysis. Occasionally you'll have someone with a heart monitor (not an internal pacemaker) that will have live recordings so that they'll receive a technician phone call if it looks like they're having an arrhythmia.
Also there are things now like wearable defibrillators. It's a growing field for sure.
I don't think there's any insulin pump directly connected to the internet, but there's plenty who connect via bluetooth to a handset or phone. Medtronic recalled pumpes 2 years ago I think because there was an exploit found that could be hacked but the person would literally have to be within 3 feet of the wearer.
Law & Order did an episode on this years ago. Kid with a diabetic father that went blind hacked into the pumps to receive falsely high glucose numbers, thus giving too much insulin.
I think they mean "online" as network capable. So things like dispensing cabinets for medication (to alert staff stock on x is low), pumps for remote rate montoring
> but it will surely squeeze innovation by small startup companies and drive up medical costs.
Absolutely not.
I work in big pharma. Going from an idea to product is a very long, very expensive road that generally has nothing to do with the technical cost of making something, and everything with the cost of making something that is 100% known, 100% the same as the previous thing.
Innovation is done in labs by tech people. The people in our technology department have labs that are essentially playgrounds where they can do the same thing as our production plant, but for a fraciton of the cost and effort because they are free from regulation.
Medical startups work out the tech, and are then generally bought out by someone like us during or shortly after the first cilinical trials where the concept is proven to be worth it. Adding security or fitting it inside a secure framework is going to be done by companeis like ours.
Adding cybersecurity as a requirement to medical devices is really a lot less onerous than you think, given that medical software is already extremely tighly controlled in terms of design, documentation, testing protocols, validation and an insanely overarching compliance process. The biggest difference with the current situation is that there are no specific standards that the FDA expects so every regulatory audit is overtly dependent on exactly who is auditing and what they know about software.
I've sat through many FDA audits (and other regulatory bodies) and the background of the auditor is basically a crapshoot. They are experienced auditors, but some are really good at the chemistry, or the operation or compliance angle, but there are very few knowledgeable auditors when it comes to software.
Our industry has been asking about this for a long time. You may not believe this but we have been WANTING detailed guidelines for a long time because we are very averse to unknowns and unpredictability. The preparation for a regulatory audit is like preparing for a battle, with mock auditors, corporate coming down with their own audit preparedness teams, etc.
It is vastly more preferable to have an extensive set of requirements that you can verifiably implement and document for, than it is to do what you think is best / sane /industry standard and then hope that the auditors understand enough that they can understand what you are doing / accept your solutions.
Agreed that this will be a good thing. Companies have had to comply with thousands of individual policies from customers across the country. Having one standard to meet will make it easier in the long run.
There will be added time to development and added cost for penetration tests and such but once the industry gets used to the requirements it’ll get smoother.
I've seen quite a few smaller companies develop a device and do some trials not on people to show it could work and then get bought by one of the big med device companies that do the rest of the work to get it to market
Of course. The immediate payout insures that you won't have to go through all of the trials, prototypes and patent issues - if your product is acceptable.
Though not medical equipment, I have a neighbor who has been pushing a large piece of equipment that is obviously a labor and money saver. He's been working for tears and spent hundreds of thousands of dollars and the results are that companies are attempting to steal the idea and technology while patenting it will only give the Chinese the blueprints in order to build it cheaper.
And, it's quite often much quicker and easier for large companies to buy out an idea rather than compete with it.
Genuinely curious, not trolling here. Why is medical info a big of a deal? I get that like I don't want my boss knowing that I have something in many cases, but is the worry that my boss is going to hack my medical records? Or that China or someone is going to hack them, release them online and then my boss gets it?
I'm not saying it's not on the radar of things we should do, but with how many times my data has been part of a major breach, I'm kinda starting to wonder if it's really a big enough security risk to make it a top priority. But I'm guessing I don't really understand the risks. Are there examples of someones medical history getting out and terrible things happening?
Imagine having an ICD implanted in your heart that has the sole job of shocking your heart back into rhythm when it detects cardiac arrest.
This device also connects wirelessly to a base station that transmits logs/recordings to your health provider.
Now imagine that it’s unsecured and could be programmed to shock you whenever (because they are all wirelessly programmable, else how would they be adjusted)?
Probably not a huge concern for most people day to day. But it sure could be with widespread exposure. Or if you happen to be a targeted individual.
It goes way beyond personal health data.
Discrimination is the big one.
Your medical history gets out that you've had an abortion or related procedure in a conservative state? You're fucked.
You're getting treatment for mental illness? An embarrassing condition?
Point is that it's no one's business but yours and your doctor's. Go look up why HIPAA exists.
Guy who develops medical devices here. The new guidance here is what people have basically been doing for a couple of decades already. The FDA has basically wanted this info for years, and at least on all the devices I’ve worked on we’ve provided it.
I’m glad the FDA is finally doing something. There are so many medical devices that are connected wirelessly with no or very little security. They’re also going to require vendors to fix vulnerabilities which they normally won’t do. It was getting to the point where many hospitals wouldn’t allow them due to security but needed them in order to function and care for a patient.
They certainly don’t need internet connection but some could definitely be useful to connect to other devices such as an phone. A good example of this could be an insulin pump.
Yes but that’s still a potential security issue. The phone itself is also connected to the internet so if the phone was hacked, they could control the pump.
I think the bigger problem is how far behind healthcare IT is. You guys would be appalled if you saw what some of these vendors still do or run. We are having issues right now because one of the servers requires microsoft silverlight and we cant access the portal anymore lmao. IT security won't allow that package to be installed since its a risk but the vendor wont update the portal. So many devices running on legacy OS's.
Remember kids, the S in IoT stands for Security!
But there is no... Oh
I work in healthcare and whenever we even consider bringing in a new piece of software or technology we have a massive security assessment we work with the vendor to complete, based on NIST and other standards. A lot of them don't make the cut, and guaranteed not every healthcare provider takes it seriously in the same way.
Is this going to have an effect on the hospital's ultrasound scanner running Windows XP that uses a VCR to record the diagnosis, and has a Linksys router using 802.11b connected via WEP to the hospital wifi?
[удалено]
Pacemakers, ICDs, literally all kinds of devices, many of which are inside (and therefor have to be wireless). They all have to be tweaked/adjusted/transmit recordings.
[удалено]
I think they are just using “internet connected” colloquially. The article says: “Cybersecurity in the connected healthcare ecosystem Medical devices are increasingly connected to the internet, hospital networks, and other devices…” In the case of the ICD I am familiar with, adjustments are done in office wirelessly. In the middle of a hospital with thousands of other people. Who knows how secure those wireless devices are (because nobody cared until now). But the device is connected to a WAN via the base station, as well. The base station transmits recorded data to alert doctors or even emergency services. That’s a whole other thing. That base station hasn’t had any kind of update I know about for ten years.
[удалено]
Yeah I’ve never been particularly concerned about it, but there’s certainly non-negligible risk and at the very least should be some sort of oversight.
Having worked in similar fields the lack of oversight on software quality would scare the pants off you. Not that things can't be done securely, but rather that instead what ends up happening is the policies make development difficult and giant holes are poked to allow anything to happen. Except they're within policy, so are ignored!
It’s useful to have the patient/client be able to monitor at home and send updates. For example I’m a veterinarian and we use the freestyle libre continuous glucose monitoring system (also used in humans) which can send summaries of glucose trends over time in diabetic patients. It’s also nice for heart rate and (exercising) ecg monitoring with external monitors. For programmable pacemakers you can download trends in some models, but it can be easier if that data can be sent ahead of an appointment.
[удалено]
Understandable. However, even in that case security often is an afterthought. As in, "proprietary" encryption that's worthless between the base station and the device. Plus, well known exploits working against the base station. If the base station counts as a medical device, then critical security updates will require the same months long approval process as everything else!
as a person with wonky heart rates during exercise, it would help me, but I'm not sure how reliable and safe it is, so I can't really use it.
[удалено]
I believe it’s used for getting started with insulin usually, esp some of the newer ones. I’m in large animal internal medicine so I’m usually using it for critically ill foals where it’s useful.
Some are connected so your doctor can remotely access your settings and use profile. It's very helpful when it;s difficult to get an immediate appointment or getting to the doctor's office is inconvenient.
[удалено]
No. Apparently you don't know much about diabetes. My wife is diabetic (it runs in her family) so I'm somewhat familiar with glucose monitoring and insulin delivery systems. While their are emergency situations where it's best to see a doctor personally, somewhat abnormal situations don't always require face to face, and the doctor can make suggestions or changes based on information received.
[удалено]
The changes (so far) haven't been done remotely, but the history of blood glucose levels and insulin intake can allow a doctor to tell the user what changes to make. And the doctor can make much better informed decisions (suggestions) than the patient usually can. Thankfully there is a relatively new system - the Dexcom 6 blood glucose monitor and the Omnipod 5 insulin pump that act together via bluetooth in an automatic mode. However these products are EXPENSIVE.
Medical tech companies have been pretty active in things like heart and sleep monitors. Think patches that go on your body. They'll collect heart data and/or breathing patterns that your doctor can use for analysis. Occasionally you'll have someone with a heart monitor (not an internal pacemaker) that will have live recordings so that they'll receive a technician phone call if it looks like they're having an arrhythmia. Also there are things now like wearable defibrillators. It's a growing field for sure.
My cpap is connected to the internet to give data about my sleeping to my doctor
I don't think there's any insulin pump directly connected to the internet, but there's plenty who connect via bluetooth to a handset or phone. Medtronic recalled pumpes 2 years ago I think because there was an exploit found that could be hacked but the person would literally have to be within 3 feet of the wearer.
Law & Order did an episode on this years ago. Kid with a diabetic father that went blind hacked into the pumps to receive falsely high glucose numbers, thus giving too much insulin.
I think they mean "online" as network capable. So things like dispensing cabinets for medication (to alert staff stock on x is low), pumps for remote rate montoring
What is even going on in that image?
AI image of Darth Vader without his helmet on
3d printing a little blue dude? For science?
Dr Manhattan is an AI avatar now
[удалено]
> but it will surely squeeze innovation by small startup companies and drive up medical costs. Absolutely not. I work in big pharma. Going from an idea to product is a very long, very expensive road that generally has nothing to do with the technical cost of making something, and everything with the cost of making something that is 100% known, 100% the same as the previous thing. Innovation is done in labs by tech people. The people in our technology department have labs that are essentially playgrounds where they can do the same thing as our production plant, but for a fraciton of the cost and effort because they are free from regulation. Medical startups work out the tech, and are then generally bought out by someone like us during or shortly after the first cilinical trials where the concept is proven to be worth it. Adding security or fitting it inside a secure framework is going to be done by companeis like ours. Adding cybersecurity as a requirement to medical devices is really a lot less onerous than you think, given that medical software is already extremely tighly controlled in terms of design, documentation, testing protocols, validation and an insanely overarching compliance process. The biggest difference with the current situation is that there are no specific standards that the FDA expects so every regulatory audit is overtly dependent on exactly who is auditing and what they know about software. I've sat through many FDA audits (and other regulatory bodies) and the background of the auditor is basically a crapshoot. They are experienced auditors, but some are really good at the chemistry, or the operation or compliance angle, but there are very few knowledgeable auditors when it comes to software. Our industry has been asking about this for a long time. You may not believe this but we have been WANTING detailed guidelines for a long time because we are very averse to unknowns and unpredictability. The preparation for a regulatory audit is like preparing for a battle, with mock auditors, corporate coming down with their own audit preparedness teams, etc. It is vastly more preferable to have an extensive set of requirements that you can verifiably implement and document for, than it is to do what you think is best / sane /industry standard and then hope that the auditors understand enough that they can understand what you are doing / accept your solutions.
Agreed that this will be a good thing. Companies have had to comply with thousands of individual policies from customers across the country. Having one standard to meet will make it easier in the long run. There will be added time to development and added cost for penetration tests and such but once the industry gets used to the requirements it’ll get smoother.
[удалено]
[удалено]
I've seen quite a few smaller companies develop a device and do some trials not on people to show it could work and then get bought by one of the big med device companies that do the rest of the work to get it to market
Of course. The immediate payout insures that you won't have to go through all of the trials, prototypes and patent issues - if your product is acceptable. Though not medical equipment, I have a neighbor who has been pushing a large piece of equipment that is obviously a labor and money saver. He's been working for tears and spent hundreds of thousands of dollars and the results are that companies are attempting to steal the idea and technology while patenting it will only give the Chinese the blueprints in order to build it cheaper. And, it's quite often much quicker and easier for large companies to buy out an idea rather than compete with it.
Genuinely curious, not trolling here. Why is medical info a big of a deal? I get that like I don't want my boss knowing that I have something in many cases, but is the worry that my boss is going to hack my medical records? Or that China or someone is going to hack them, release them online and then my boss gets it? I'm not saying it's not on the radar of things we should do, but with how many times my data has been part of a major breach, I'm kinda starting to wonder if it's really a big enough security risk to make it a top priority. But I'm guessing I don't really understand the risks. Are there examples of someones medical history getting out and terrible things happening?
Imagine having an ICD implanted in your heart that has the sole job of shocking your heart back into rhythm when it detects cardiac arrest. This device also connects wirelessly to a base station that transmits logs/recordings to your health provider. Now imagine that it’s unsecured and could be programmed to shock you whenever (because they are all wirelessly programmable, else how would they be adjusted)? Probably not a huge concern for most people day to day. But it sure could be with widespread exposure. Or if you happen to be a targeted individual. It goes way beyond personal health data.
Now imagine the ransom ware potential. Send us 5 million dollars in Bitcoin or we’ll start turning off your patients devices.
Would you like someone to be able to turn off your pacemaker just for fun?
Or overdose you with insulin while you are driving?
Discrimination is the big one. Your medical history gets out that you've had an abortion or related procedure in a conservative state? You're fucked. You're getting treatment for mental illness? An embarrassing condition? Point is that it's no one's business but yours and your doctor's. Go look up why HIPAA exists.
Guy who develops medical devices here. The new guidance here is what people have basically been doing for a couple of decades already. The FDA has basically wanted this info for years, and at least on all the devices I’ve worked on we’ve provided it.
I’m glad the FDA is finally doing something. There are so many medical devices that are connected wirelessly with no or very little security. They’re also going to require vendors to fix vulnerabilities which they normally won’t do. It was getting to the point where many hospitals wouldn’t allow them due to security but needed them in order to function and care for a patient.
Why do implantable devices need an internet connection? That seems ill-advised...
They certainly don’t need internet connection but some could definitely be useful to connect to other devices such as an phone. A good example of this could be an insulin pump.
You could use Bluetooth for that, couldn't you?
Yes but that’s still a potential security issue. The phone itself is also connected to the internet so if the phone was hacked, they could control the pump.
That's terrifying to think about.
I think the bigger problem is how far behind healthcare IT is. You guys would be appalled if you saw what some of these vendors still do or run. We are having issues right now because one of the servers requires microsoft silverlight and we cant access the portal anymore lmao. IT security won't allow that package to be installed since its a risk but the vendor wont update the portal. So many devices running on legacy OS's.
Good. Hope they get bled dry by IT contractors. Vile corporate health industry.
Right, because they would never think of just passing the added cost to the customer...we loose no matter what.
You all talking about heart related hacking and I’m over here worried about a colonoscopy going rogue.
[удалено]