The depiction of a U.S. vice president killed by his hacked pacemaker on the Showtime series "Homeland" may be a bit too fantastic for those in the mHealth industry to take seriously, but the potential exists.
More importantly, said the members of a medical device security panel at the HIMSS Privacy & Security Forum, healthcare IT executives should be aware that medical devices can be hacked and compromised.
"There's a little bit of truth just covered by a lot of exaggeration," said George Fidas Jr., product security officer for patient care and clinical informatics at Phillips Healthcare.
The Monday afternoon panel session at Boston's Intercontinental Hotel was just one of several during the first day of the two-day conference, but it aimed for the heart of the summit's goals. The healthcare landscape is changing constantly, in large part due to the influx of mobile devices and mHealth initiatives, and it's getting harder to ensure that data - and people - are protected. HIT executives must be ever vigilant to new threats, and to make sure the resources under them are secure.
So while an implanted pacemaker won't kill its owner just yet, it could someday.
Paul Scheib, chief information security officer and director of IS operations at Boston Children's Hospital, said medical device makers used to "preach isolation for their products," but that philosophy is changing as those devices become integrated with mHealth platforms and information systems like the electronic medical record. "They are really not medical devices any more," he said. 'They are systems."
Scheib said the healthcare community - and the general public, for that matter - is fascinated by the "look what I can do" cases, like hacked pacemakers and insulin pumps that can be rigged to deliver fatal doses. He said the medical community should instead be focused on the "90 percent of things that happen every day," and make sure that safety and security protocols are established and enforced.
Steve Merritt, manager of imaging and clinical systems for Springfield, Mass.-based Baystate Health, said the industry must encourage better collaboration between device makers and IT executives. "It can't just be the medical device makers being forced to do stuff," he said.
David Finn, Symantec's health IT officer and the panel's moderator, pointed out that medical devices "have been historically wildly neglected with regard to security," and said the U.S. Food and Drug Administration, with its device guidance released in June, is starting to take the issue seriously. Fidas agreed, saying regulations are generally "several steps behind" the industry.
"Today's best practices are tomorrow's regulations," he said.
Fidas recommended that healthcare providers conduct security risk assessments, and test often for vulnerabilities. "Just consider the customer's (vendor's) environment a hostile environment," he added.
Finn pointed out that the landscape will change even more as healthcare moves into the home with remote patient monitoring - giving devices even more opportunities to be infected, compromised or hacked. That, in turn, would lead to this question: Who would be responsible if a patient was severely injured or killed by a compromised medical device?
Chances are "Homeland" won't have that answer.
