By Binseng Wang, ScD, CCE

On June 17, the U.S. FDA published a “discussion paper” titled “Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities” and asked for comments by Tuesday, August 17.

In this paper, the FDA exposed its current thinking on four topics, believing these are the most important ones related to the servicing of medical devices: privileged access; identification of cybersecurity vulnerabilities and incidents; prevention and mitigation of cybersecurity vulnerabilities; and product lifecycle challenges and opportunities.

The first topic, privileged access, is characterized as limiting “access only to privileged device users” because it is “a key component of ensuring a secure medical device.” The FDA recognized that this is a thorny issue, as “devices that lack basic security may present significant safety concerns” while, on the other hand, without “privileged access, servicing activities may not be possible.”

The FDA added “…therefore, it is important that stakeholders develop solutions to ensure medical devices are secure and mitigate unauthorized use without compromising the safe and effective servicing and use of medical devices.”

Most of the readers surely do not need me to remind them the pain they have endured in getting access to diagnostics and calibration software embedded in medical equipment, especially to get the error codes needed for maintenance (in addition to service manuals, and proprietary parts and tools). So, the question posed in the title of this article should not be surprising to anyone—with due apologies to Mr. Bond.

The FDA seems to believe that it will be easy for the equipment buyers (i.e., healthcare delivery organizations, or HDOs) to stipulate in their purchase agreements (aka “responsibility agreements”) the inclusion of “software keys” to ensure privileged access for their staff and those who work for the independent service organizations they commissioned. As most of the readers know, this is not typically the case.

Some OEMs will only provide access to the in-house CE/HTM staff, while others will only allow their own field service representatives to have access and, thus, require the HDOs to sign service contracts. Still others may sell a license for such access at a fairly steep price. In other words, this new “license to kill” will certainly increase the cost of maintenance and, if depending on OEM service contracts, increase downtime. In fact, the additional cost for the entire nation could be as high as $4 billion.

If you think that’s bad, please allow me to make things a bit worse. In order to compensate for the increase in downtime, HDOs will have to acquire more backup equipment (or rent it) so as not to delay or deny care to their patients. A quick back-of-the-envelope estimate shows that the total additional capital expense (CapEx) could reach $50 billion nationwide, which is about double the current annual capital expense of all non-government HDOs.

As if this is not bad enough, the OEMs could also use cybersecurity as an excuse to shorten the useful life of medical equipment. After all, they deploy the consumer system software produced by the IT giants, which tend to declare end-of-support every three to four years. If medical equipment has to be replaced one-third sooner than its current typical lifespan, a gross estimate would be an increase of 50% of current CapEx—i.e., an additional $12 billion each year.

Finally, there is the little issue of “legacy devices,” defined by the FDA as “…those that cannot be reasonably protected against currently [sic] cybersecurity threats.” I don’t know if anyone has a good estimate of the amount of these legacy devices and how much it would cost to replace them, so I’m venturing out with another wild guess.

Assuming the total equipment inventory in the U.S. is around 16 million pieces and worth about $200 billion, with legacy devices accounting for between 15%-35% of this total, I would place the replacement cost at between $30 billion and $70 billion. Not likely something that HDOs will easily absorb in one to two years.

I’m not saying that the FDA is unaware or unsympathetic to this challenge. It stated in the paper that “importantly, FDA is not suggesting that devices be secured to prevent non-OEM servicing when such servicing is technically feasible and appropriate.” However, it is not offering any solution or initiative to tackle this problem. As the recent ransomware attacks on the petroleum pipeline, the meat processing plant, and several hospital systems demonstrated, this problem is not likely to subside anytime soon. Instead, it’s likely to get worse.

Unless you want to join me soon in retreating to a nice and comfortable existence among some friendly creatures in an alligator farm without a cell phone or the Internet, you should send your comments to the FDA and, more importantly, reach out to the senior executives of your HDO—or, better yet, state and national hospital associations. Hopefully, by working together, we can convince them to start negotiating with the OEMs and the appropriate government agencies. After all, Americans cannot afford to let healthcare costs continue to escalate—much less allow the quality and timeliness deteriorate.

Binseng Wang, ScD, CCE, fAIMBE, fACCE, is vice president of program management at Sodexo HTM. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].

Reference: