The following is a guest post from CCC Council Member Kevin Fu, the Associate Professor of EECS at the University of Michigan and Chief Scientist of Virta Labs, Inc.
Last month, the White House quietly convened a group of medical device security stakeholders and domain experts to discuss the cybersecurity challenges faced by healthcare delivery organizations and medical device manufacturers. There were actually multiple meetings. Here I summarize just one that I attended in my role as a professor leading the Archimedes Center for Medical Device Security at the University of Michigan, and in my role as a member of the Computing Research Association’s Computing Community Consortium (CCC) Council.
Convened by the President’s Office of Science and Technology Policy (OSTP), we sat together in the elegant Diplomatic Room in the Old Executive Office Building. I was invited because of my expertise in medical device security and FDA regulatory affairs dating back to when I briefed the FDA in October 2006 on looming cybersecurity risks and when I worked in hospital IT in the early 1990s. I was probably not invited for my bread making skills.
The room was packed with people from a diverse set of backgrounds: techies, physicians, policy wonks, CISOs, lawyers, and more. I noticed that the group roughly divided into three parts, like Gaul:
- visitors like myself who responded to questions,
- special assistants to the President who asked questions, and
- leaders from various parts of the executive branch who listened attentively.
White House Chief Data Scientist DJ Patil chaired the meeting. White House Cybersecurity Czar Michael Daniel asked many questions.
There were a large number of federal representatives from
- various HHS agencies (FDA, CMS, OCR, ONC) plus the HHS CISO,
- the U.S. Digital Service,
- DOD,
- DHS,
- FBI,
- NIH,
- the National Security Council, and
- a guy from the Secret Service who offered just his first name.
One notable techie in the room was Mina Hsiang, a fellow engineer from MIT who served in the tech surge team to rescue healthcare.gov.
We talked about the NIST cybersecurity framework, collaboration across agencies and industry, regulatory matters to incentivize better cybersecurity, information sharing so that hospitals and manufacturers need not be in the dark about threats, incident and vulnerability response, leadership, and medical devices in general.
Michael Daniel expressed concern that the Internet was becoming a liability, but also that security problems can slow innovation. He pointed out that the median number of days to detect an intrusion has improved to an embarrassing 209 days across all industries. So what happens during those 209 days as the intrusion spreads its tentacles thru a hospital? He also expressed hope that computer scientists can find a way to decouple and better layer security into operating systems (sounds right up the alley for an SOSP paper). Multiple speakers brought up the topic of Medicare/Medicaid reimbursement policies, and how it ought to use the power of the purse to incentivize purchasing of more secure, safe, and effective products. Separately reached for comment, a representative from CMS explained that they do routinely realign their reimbursement policies, especially when FDA uses new guidance (ahem, cue the new FDA pre-market and post-market guidance). A CMS representative explained that it’s not uncommon to set policies more strict than FDA requirements by pointing to industry standards (cue AAMI TIR 57 on medical device security).
It’s the Simple Stuff, Stupid
The feds had many questions about NIST guidance documents on cybersecurity, and the invited guests from industry heaped praise on NIST for documents that actually get used in practice. Footnote: NIST is about to celebrate the grand opening of its new National Cybersecurity Center of Excellence (NCCoE). I’ve been asked to spread the word about their recently posted call on tools to protect the security of medical devices.One of the more interesting conversations involved culture shock. When I spoke about the security problems that hospitals face and the sometimes adversarial relationship between IT and biomedical groups, the counsels from the American Hospital Association nodded, smiled, and sighed in agreement. They know what I am talking about: the IT security people that lock down computers to the point that clinicians can’t get their job done, or the clinician who accidentally infects a cathlab with virus transferred by a USB stick from a Yahoo account on a nursing workstation. Having worked in a community hospital installing computers in patient rooms, back offices such as medical records, and administrative areas such as the CEO’s office, I had first hand experience observing effective and ineffective ways of deploying technology in clinical areas. IT security people: thou shalt not interrupt clinical workflow! Period!
For the academics
I’d like to encourage my fellow computer science faculty to get out of their dingy offices and educate leaders in government. Conference and journal publications are not the end point of research, but rather the beginning of impact on society at large. For faculty who might participate in future White House roundtables, here’s a bit of advice. Come prepared with a single request, not a long annoying list, of how the government can help help rather than get in the way. My request was simple: use the force. That is, use the convening force of the government to bring stakeholders together. I asked them to convene medical device manufacturer CEOs, Boards of Directors, and hospital executives to ask how they are meaningfully addressing medical device security risks.
Final thoughts
The higher ranking people in federal government are just beginning to wrestle with the problem of medical device security. It’s clear that the government isn’t going to sit idly as hospitals continue to get infected with cybersecurity problems (three hospitals hit last week [1, 2, 3]) and manufacturers continue to produce difficult to secure devices (remote buffer overflows in drug infusion pumps last week). At the end of the day, hands were shook, business cards were exchanged, speaking invitations were offered, and other passive tense events.