Medical devices are becoming increasingly pervasive and interconnected, with hospitals averaging 10 to 15 network-connected devices per bed. 90% of hospitals were victims of cyber-attacks in 2014 and 2015, and it cost the healthcare industry $6 billion to address these attacks. Healthcare (unfortunately) is becoming the most victimized across all industries, accounting for 27% of all breaches in the first half of 2016.
It’s important now more than ever to control access to medical devices so only the right people can do the right things with them. Also known as access control, authentication, or identity management, getting cybersecurity wrong can lead to security problems, poor usability, or both.
What kinds of security problems?
“Just lock it down” doesn’t work.
After reading the examples above a medical device developer might be inclined to enforce rigid security requirements, like 20-character complex passwords that must be changed every 7 days. Don’t do this.
An overly complex password can provide a false sense of security and can lead to problems like the following:
When users, especially in health care, are faced with obstacles to getting their job done, they get creative in working around those obstacles, making the systems less secure. Researchers looking at this topic found the following workarounds:
Workarounds like these can cause problems with inadvertent or unintentional exposure of protected health information as well as accidents, such as entering a medication order for the wrong patient, because the previous clinician did not log out properly.
Make it usable AND secure.
Logging in is never a primary user goal; users log in so they can accomplish some other task. It’s essential to make authentication as easy as possible for authorized users while preventing those without permission from using the system. Medical device developers should minimize these distractions so users can focus on necessary tasks.
One place to start is to carefully develop a threat model, analyzing which interactions with a device are higher risk and need securing. For example, knowing that the infusion pump is running or infusion time remaining might be lower risk and not require login, while changing the dose is probably higher risk and needs to be password-protected. This way, the user can still get needed information from the system without having to expend time and effort logging in. Once a user is logged in, they should be able to take “protected” actions for the duration of their login session. Forcing authentication for each individual feature leads to choppy workflows and potentially insecure workarounds.
If your system requires users to log in, consider ways to reduce or eliminate the need for them to memorize and enter information. They have enough stuff to remember for their “day job.” Consider the following:
It’s important to consider everything that could go wrong, and give the user a clear path to resolving problems. As medical device developers, one way we can do this is by providing clear messages for authentication errors, a means of resetting a forgotten password directly on the device, and a way to get help if the user cannot resolve the problem independently.
We also need to consider carefully how and when to end a user’s login session. If the session ends too soon, it could interfere with the user’s work, but waiting too long could leave the session open to misuse by unauthorized and authorized users alike.
Creating usable and secure systems starts with understanding the user’s workflow and adapting the system to it. This is much easier than changing human behavior. We should observe users performing their work in context to answer questions like:
Conclusion
In the U.S., the Food and Drug Administration is applying increasing scrutiny to cybersecurity, issuing guidance on cybersecurity documentation needs for premarket submissions and maintaining a repository of additional resources. Medical device developers need to consider security throughout the product development process.
In the end, medical products need to address both usability and security concerns to minimize risk, be effective, and achieve market success. Considering them together, rather than separately, will result in a more balanced approach.
Sources and further reading