The ability to hack a pacemaker to cause it to glitch? Adjusting a child’s glucose meter to give a false reading to require insulin? Shutting down a respiratory system remotely? Dystopian sci-fi movies never dealt in the mundane practical threats of the digital era colliding with healthcare. Yet today, those threats are very real and our policy infrastructure in healthcare today is not built to take the weight of the digital age.
This was made abundantly clear by a representative of the European Union Agency for Network and Information Security (ENISA) at the Estonian Presidency event on eHealth. Never heard of the agency? Neither had I or any number of colleagues specialized in healthcare policy at the event. Yet this is the agency that is responsible for cybersecurity in its broadest sense.
Always willing to ask the provocative question – I asked why I had never heard of the agency before? Why was cybersecurity never mentioned in any of the debates on the Medical Devices Regulation all of which I attended? In the 175 page MDR text there is not one mention of the term.
The answer was that although cybersecurity is not directly mentioned in the MDR, security is indeed mentioned in the section on vigilance. That’s….comforting? When a major cyber attack-causes devastation to patients, at least we will know it about it.
At this point alarm bells should be going off for any policy maker who helped to enshrine the concept of safety by design.
With the MDR already completed, what’s the solution? We may not be able to overhaul policy, but regulators can still drastically change how they view the notion of patient safety. Given the threats both known and unknown, Regulators need to redefine what patient safety means to them.
Traditional considerations about patient safety and the rate of deterioration of say, metal on metal hip implants needs to shift to questions such as “how sophisticated is the software on this assisted living frame or bionic devices? Can guided pills be reprogrammed to do more harm than good?
If Cybersecurity is to become a standard safety concern, then regulators must give the software of a new device the same scrutiny as they would its base material, doctors must ensure “cyber-hygiene” is as doctrinal as washing their hands and we must make a mental shift toward digital era thinking on patient safety.