Medical Device Cybersecurity: Users can be your weakest link, or they can be your best defense

medical+device+cybersecurity2.jpg

Medical Device Cybersecurity: Users can be your weakest link, or they can be your best defense.

Due to our level of connectivity in the workplace today, much of our time is spent validating that we are who we say we are. But it’s a two-way street, as we are constantly evaluating security of a litany of interfaces. From logging on to your workstation, to avoiding spam in your inbox, cybersecurity is part of everyday life. As connected medical devices become more intertwined, the nodes of connectivity rise exponentially. This rise in connectivity gives us greater access to health and medicine, but also provides exploitable access points for our health data or even the devices themselves to become compromised.

Cybersecurity is becoming a pervasive factor in the development, use, and lifespan of connected medical devices, and human factors testing is a crucial part of this development. Designing secure medical device interfaces with the user in mind, conducting formative testing to ensure users understand and accurately implement cybersecurity features to mitigate the risk of a hack, and monitoring product use (or potential misuse) are critical to effectively keep the product unaltered and the user’s information protected. There’s plenty of material out there on cybersecurity. This article will dig into the human factors component of healthy communication and involvement of users and strategies to ensure your human factors testing adequately assesses cybersecurity of a product, and insights on future developments from regulatory bodies concerning connected medical devices.

Current Relevance

In the past year due to the pandemic, the FDA has authorized virtual healthcare and telehealth functionality in a multitude of areas. The FDA also initialized the Digital Health Center of Excellence based in CDRH, which was already in motion prior to the development of the pandemic. This has granted patients access to healthcare, and the shift to working from home has also forced the companies which provide those healthcare products and services to respond appropriately. This massive shift in access points of connected medical devices has elicited a pandemic scale uptick in cybercrime as well. The path forward indicates a robust regulatory evaluation of cybersecurity measures integrated throughout the connected medical device spectrum, with human factors components ingrained throughout to ensure device integrity.

Healthcare cybersecurity expert and now acting director of Medical Device Cybersecurity at FDA CDRH, Kevin Fu emphasizes issues for healthcare technology professionals to address including procurement, clinical relevance, and a complete clinical network inventory to assess the level of cybersecurity required for your application. The AAMI technical information report, TIR75, is also a ‘go-to’ for guidance on medical device security risk management. To prevent breaches in cybersecurity, it is crucial to design medical devices and their cybersecurity features with the user in mind. Ensuring the user understands the cybersecurity involved in device operation is the best way to keep sensitive data and device access secure.

User interface communication of cybersecurity measures

In October of 2020, the Patient Engagement Advisory Committee of the FDA issued a discussion paper and request for feedback titled “Communicating Cybersecurity Vulnerabilities to Patients: Considerations for a Framework” [1]. This summary emphasized the following goals when developing a cybersecurity framework:

TABLE1- MEDICAL CYBERSECURITY.JPG
sample_cybersecurity risk.png

The document also provides a mockup example of the suggested layout for informing users on these matters, which helps to illustrate the detail expected of medical product and device manufacturers. To the right you will see an example appendix for a common medical product (insulin pump). This example directive provides recommendations for content, layout/organization, and situations to consider. The keys and symbols used should be consistently implemented throughout your product UI, and easily understood and applicable to your target audience. Important elements to consider may include what a compromised product may look or act like. Users will never be able to detect a hack if they don’t know what to look for.

Maintain secure connected medical devices: ensure users know right from wrong

Everyone knows they should have strong passwords, not click suspicious links, and avoid free USB drives (hopefully!). We’d like to share some actionable policies and strategies to integrate for your medical device, and human factors testing application methods, by considering safety practices commonly in use already: fire safety.

1.What does a fire look like? Will users and/or smoke detectors respond appropriately in case of a fire?

Human factors evaluations of detectable cybercrime may look like:

  • Simulation of a compromised device,

  • Troubleshooting indications of connectivity and/or device alerts, and

  • Testing to determine if users are aware of how and why to monitor their device.

2. Make sure users are aware of firewalls (and respect them!)

Ensure all users are aware of and maintain segmentation. Your favorite coffee shops may not be the best place to connect your insulin pump or pacemaker. HF testing can simulate connectivity scenarios.

3. Routine updates

Ensure your product is up to cybersecurity code, this includes a user that implements those updates. Did you know the average time to detect a breach? It’s 96 days[1]! Make sure there are clear instructions on how and when to perform software patches. Consider implementing a training manual to keep users onboard with cybersecurity updates, and frequently remind users through multiple communication pathways.

4. Response readiness

Encourage users to maintain skills. HF approach may involve implementing a period of training decay into your evaluations. Response-ready users require:

  • Initial training (know fire drill route),

  • Safety communications and routine education (keep skills sharp),

  • Clear roles and responsibilities (point person for emergencies), and

  • Practice scenarios (have fire drills).

Where do we go from here?

While devices may be cybersecure now, constant vigilance and innovation will be required to offset cybercrime in the years to come. The FDA has indicated they are collaborating with federal partners such as HHS (U.S. Department of Health and Human Services) and CISA (Cybersecurity and Infrastructure Security Agency), with the overall priorities of incident detection and emergency response. It will be key, moving forward, to continue to attract cybersecurity professionals to the healthcare space to continue advancements in digital and telehealth innovation.

We hope to see you at HFES 2021 this week, we will be presenting on this and other topics throughout the conference program!

[1]  2021 Bitglass Healthcare Breach Report

 
 

About the Author:
Lauren Jensen, PhD

Lauren+Jensen.jpg

Dr. Lauren Jensen, PhD, is a Biomedical Engineer and Human Factors Consultant with Agilis Consulting Group, LLC. Lauren is experienced in applying human factors principles to the design, evaluation and validation of medical devices and products. Prior to joining Agilis Consulting Group, Lauren worked in the startup space in Austin, TX engineering wearable medical products, and competed as a top ten finalist for the NASA iTech Cycle III for innovative technologies. During her PhD at Tulane University School of Medicine, Lauren developed and validated a therapeutic wearable to reduce surgeon tremor and fatigue in the OR.

We are presenting!
Join Agilis at the Human Factors & Ergonomics in Health Care International Symposium

Virtual Event April 12-16, 2021

Lauren Jensen, PhD