Security researchers have recently uncovered vulnerabilities in potentially all modern processors, affecting nearly all computing devices and operating systems, known by two names, Meltdown and Spectre. The processors are found in everything from personal computers to medical devices. While there are no known exploits yet, the risk still remains until mitigated by appropriate fixes. In case of medical devices, the risk also depends on the type of device i.e. life supporting class III medical device vs. class I medical device.
This serves as a good example to understand the cybersecurity risk mitigation steps and associated costs in the healthcare space, where potential exploitation of such kind of vulnerabilities could lead to ransomware, patient safety and/or data breach events.
So, how would the process work?
The medical device manufacturers will have to work with component(s) and operating system provider(s) to first understand the impact to the performance of products and potential fixes. They’ll have to take released patches and test the medical devices for clinical performance (i.e. safety and efficacy) with those patches. After all, they own the 510(k) process and will be held liable for any product performance issues impacting patient safety. If they find that clinical performance of the devices is negatively impacted, they will have to engage in appropriate redesign activities, resulting in recalls, corrections and/or removals. If clinical performance of the devices isn’t negatively impacted by the patches, they’ll release the patches with the field modification instructions for installation on the equipment in partnership with the healthcare providers (e.g. hospitals).
Once device manufacturers release validated patches with instructions, the patches will have to be commissioned in the field. Depending on whether the device is network connected, appropriate scope of change, network testing, scheduling of downtime, approvals, etc. will have to be considered during the commissioning process. The patching process at a provider site could take from 2 to 6 hours per device involving multiple stakeholders.
Following illustration help us better understand the cost implications. There are roughly 19 million medical devices covering 35 thousand different make/models with some sort of embedded system deployed in the US. Let’s say if (a) Meltdown and Spectre impacted 75% of those devices (b) an average device manufacturer spent 120 hours per make/model to release a patch and (c) an average provider spent 2 hours to patch a device, it would cost $1.6 billion ($1.4B at providers and $0.2B at device manufacturers) to the US healthcare industry. If it took 6 hours to patch a device at a provider site, it would cost $4.5 billion.
While number of hours a manufacturer takes to test and validate a patch for clinical safety and efficacy before releasing it could be high, patching each device in the field might cost much more depending on the size of its installed base. An efficient and effective process could drive significant cost productivity gain in this area.
MediTechSafe has developed a proprietary solution to help hospitals manage their cybersecurity, medical devices and clinical networks related risks. If you are a healthcare provider (or a biomed services provider) interested in learning more about MediTechSafe’s solution, you could reach us at info@meditechsafe.com.