Who foots the bill for medical IoT security?

It’s a good thing that your iPhone or Android device can easily receive security patches. Updating its firmware and apps is a crucial step in protecting it against hacks.

You might think that it’d be a no-brainer to build advanced software update capabilities into Internet-connected medical devices that have critical functions, such as pacemakers or insulin pumps. But efforts to develop easily patchable medical devices have only just begun.

Such endeavors are at the center of my work, as head of research and development at MedSec. We help medical-device makers build cyber-safe devices ranging from handheld Bluetooth-connected inhalers to refrigerator-size operating-room guidance systems.

Keeping medical-device software up-to-date today requires different processes for different situations.



READ MORE FROM ‘NO PANACEA FOR MEDICAL CYBERSECURITY’

Why health care cybersecurity is in ‘critical condition’
Triaging modern medicine’s cybersecurity issues
How to recover from a health care data breach
Ransomware attacks against hospitals: A timeline
How weak IoT gadgets can sicken a hospital’s network
To prevent EHR breaches, stop using them (Q&A)


For devices that stay at the hospital, such as infusion pumps, a hospital clinical-engineering team, or sometimes an even more specialized clinical-security team, will become aware of a software update through manufacturer communications, mailing lists, or notifications on the medical-device itself. The team must then find a time when the device is not in use to perform the software update, and run functionality tests to ensure that it’s operational before returning it to active duty.

While sometimes arduous, this process works for devices that permanently live inside hospitals, largely because clinical teams have easy hands-on access, and such operations are part of hospitals’ corporate overhead costs. But what about medical devices that go home with a patient, or are surgically placed inside a patient’s body?

Take-home medical devices such as powered wheelchairs are known as Class II devices because they could hurt a patient but are not critical in sustaining a patients life. For Class II, it might be acceptable to let a patient do the software updating at home—it really depends on the patient’s situation. But for Class III devices such as pacemakers or neural stimulators, where a faulty update could harm or even kill a patient, professional supervision is required. And this means that for all Class III and some Class II medical device updates, a visit to the doctor’s office is in order.

Hospitals and doctors work on fixed reimbursement rates from insurance companies or government programs in a highly controlled ecosystem, but as of yet, there isn’t a common billing code for “routine cybersecurity checkup,” nor a widely used insurance or government program to reimburse a health care facility for such a visit. No one in the industry seems to know the answer.

This leads us to the essential question of modern health care, not just in the United States but around the world: Who pays? When a patient needs to see a doctor to receive a software update to her medical device, who’s financially on the hook for that visit?

I hear stories from hospital clinical-security teams about some medical-device manufacturers paying for these visits. More often, I hear about hospitals eating the visit costs. Whether the doctor gets paid for those visits isn’t clear, either.

Hospitals and doctors work on fixed reimbursement rates from insurance companies or government programs in a highly controlled ecosystem, but as of yet, there isn’t a common billing code for “routine cybersecurity checkup,” nor a widely used insurance or government program to reimburse a health care facility for such a visit. No one in the industry seems to know the answer.

It concerns me that if we don’t make black and white from this gray area in the ecosystem, clinicians may be financially thwarted from updating the software of Class III devices altogether. This seemingly bureaucratic oversight could grow into a life-threatening issue.

Solving this problem, which lies at the edges of a complicated payment system, is no minor exercise. In 2017, for example, a cybersecurity software update for a Class III implantable device was released that affected 465,000 patients. And according to data from insurer Blue Cross, the average hospital doctor visit costs $200 to $240.

If you applied the more conservative $200 visit estimate across 465,000 patients, this one device update would collectively cost $93 million worth of doctors’ time—$93 million of time hospitals don’t have a standard means for which to account.

Given that there are thousands of Class II and Class III medical devices in use by patients today, I’d say this is a bad problem that could get much worse, as more devices require cybersecurity patches.

Cybersecurity is not going away, and for many medical devices, it’s not something technology alone can address: Internet-connected medical devices, like patients, need regular checkups.

Most of us in the health care cybersecurity business truly want to make a difference. Personally, I want to protect medical devices and patients from cyberharm. We can talk all we want about how releasing software updates for medical devices helps protect patients, but as with everything in health care, who pays is an increasingly expensive and serious proposition to consider.

It’s time for the health care industry to create new billing codes for cybersecurity-oriented doctors’ visits. Cybersecurity is not going away, and for many medical devices, it’s not something technology alone can address: Internet-connected medical devices, like patients, need regular checkups.

Cybersecurity checkups could be simple. A doctor explains that there is a security patch to install. A clinical engineer then sets up backup care—in the case of a pacemaker update, this would mean hooking up secondary heart pacing—and then applies the patch.

Cybersecurity updates are a permanent condition of the medical-device landscape, and “security through obscurity” won’t keep patients safe. Because MedSec works with dozens of medical-device manufacturers to build cybersecurity into new devices, from risk assessments to designs to penetration tests before release, I can confidently say that cybersecurity software updates are becoming routine, and manufacturers are designing devices with cybersecurity checkups in mind.

This is a major improvement, from a cybersecurity perspective, but also means that a lack of proper accounting for medical-device patches and updates is a problem that’s going to get worse, if it isn’t managed soon.