Patients are increasingly being referred to as “consumers” for their active involvement in making decisions about their health. The desire for more control and convenience is driving the adoption of certain medical devices, but the issue becomes more complex when considering the future of medicine as it relates to privacy versus convenience, according to Mick Coady, Principal, US Health Services at PricewaterhouseCoopers. “I think numerous use cases are going to be driven out from ‘patient/consumer thinking’ and will have the industry scrambling to take care of the ‘consumer’ rather than just the hospital/patient,” he says. “The way you receive medicine now is based upon convenience of care.” This convenience factor will require device manufacturers to continually examine how their products can better serve patients from the home without having to check in with their physician on a regular basis.
A report released today by PricewaterhouseCooper’s Health Research Institute calls out healthcare trends that many device manufacturers know well, but it also shines a light on security vulnerabilities that companies need to address during product development. The annual report, “Top Health Industry Issues for 2016”, cites a rise in cybersecurity threats as a deterrent to patient adoption (see Figure 1).
“The medical world is becoming a consumer-based thinking world and will continue to change over the next eight years,” says Coady, who is also a partner for PwC’s cybersecurity and privacy practice. With this evolution comes a responsibility on the part of manufacturers to evaluate products (specifically wearables and embeddables, implants, and medical equipment), both those currently on the market and in development, for security vulnerabilities.
Part of the issue is that there are medical devices on the market that were not designed with security in mind from the start. As a result, hospitals are forced to work around this problem. “Because manufacturers haven’t updated or never built security into the devices in the first place, [hospitals] have to zone those devices into a subsection of the network where they add more layers of security in front of or around them to limit the capacity for those devices to be compromised,” says Coady. “In past four months, I’ve picked up five new engagements doing nothing but network re-zoning around that particular problem.” Over the past year, FDA has issued security alerts for products such as insulin pumps for security vulnerabilities, including advisories to discontinue the use of certain insulin pumps such as Hospira’s Symbiq system.
Within the next 24 months, expect to see more mergers and acquisitions. In addition, the fate of the medical device tax repeal will likely have an impact on market dynamics in this space.“The looming problem is that people are finding out very sophisticated ways to attack people just for specific reasons,” says Coady. “If you want to pay a nation or a state to do something bad, and if you want to be tied to some form of terrorism and do something bad to a populous in any country, you have the ability through the medical device to get a sophisticated attack out there that could harm individuals depending on what device they have in their body.”
It sounds scary, but the idea of hacking into medical devices is not new, and it has been all over the news, especially within the past year, as a warning to patients and the general public about the risks associated with connected products. When asked what devices are most vulnerable to security and privacy breaches, Coady replied, “All of them,” adding, “From what I’ve seen in the [medical device] manufacturer space, I don’t have confidence that most of the embedded devices going into human beings have the appropriate levels of security.”
Register to attend (virtually or in-person) mHealth for Medical Device Manufacturers, February 3-4, 2016. VIEW AGENDAThere is a general consensus within the industry that something needs to be done about the security of connected medical devices. In fact, FDA just announced that it is holding a public workshop next month to discuss the issue and how stakeholders can work together to move forward. At the product design level, manufacturers should build security into the development process as early as possible, because the cost of retrofitting products with security fixes can be threefold or more. As for devices already on the market, Coady recommends running security, risk and vulnerability tests. While this can be a costly step, it may be unavoidable as FDA begins to take more action against devices that have cybersecurity issues.