Who's responsible if a diabetic's glucose pump fails – the company that made the pump or the physician who prescribed it?
The
question isn't easy to answer, but it sure is fun to discuss. And with
medical devices involved in more and more of the estimated 1 billion
patient encounters each year, it's a conversation worth having.
That
conversation helped launch the Medical Device Security Risks and
Challenges Symposium Sunday morning at the Orlando County Convention
Center. The daylong symposium was one of several pre-conference
sessions leading into the HIMSS14 Annual Conference & Exhibition.
To
Theresa Cullen, MD, chief medical information officer of the Veterans
Health Administration, the concern is very real. An ER doctor by
profession, she "lives with risk every day." And during her five years
as CIO of the Indian Health Service, she once had to dispatch a
helicopter down into the Grand Canyon to disconnect a device from the
network.
"It's not about security," she said. "It's about healthcare delivery in a secure fashion."
Now
she's dealing with 650,000 discrete medical devices in the VA, about 10
percent of which are hooked up to the network. So while she's worried
about device being used, she wonders if the companies that have designed
those devices did their best to make sure they won't break down or be
hacked.
That's Michael McNeil's job. As global product security
and services officer for Philips Healthcare, he's concerned not only
with the products now coming off the shelves, but with going back and
finding ways to protect and secure the company's legacy devices.
McNeil
said the medical device security conundrum falls into four categories:
patient safety, data integrity, legal and regulatory issues, and the
protection of intellectual property. And while some have charged that
the device industry won't act until they're directed to do so by the
government, McNeil said providers are mindful of the dangers of a
malfunctioning or hacked device.
Manufacturers understand "they're
not just selling the box and moving on," he said, and they have a
responsibility to ensure their products – including legacy products –
are safe and secure. That means keeping the lines of communication open
with providers.
If security is an afterthought with providers, he
said, "you're going to have problems, you're going to have issues, and
that's on the manufacturers."
Both Cullen and McNeil said the
answer to privacy and security lies in collaboration. And that should
involve not only vendors and providers, but legal and regulatory
agencies, standards organizations, even patients.
Is that happening?
Not really, said Dale Nordenberg MD, executive director of the
Medical Device Innovation, Security and Safety Consortium (MDISS). "We
still have a very significant silo problem here," he said.
"When we talk about collaboration, I'm not sure we're there yet," added Cullen.
As
the session wound down, Nordenberg looked out over the audience of
roughly 100 people and asked if any physicians or risk compliance
officers were present. No one raised a hand.
Link: http://www.mhealthnews.com/news/whos-blame-when-device-goes-rogue?page=0
