by Sean Ruck
, Contributing Editor | May 08, 2018
From the May 2018 issue of HealthCare Business News magazine
HCB News: Cybersecurity isn’t currently the front-page story that it was last year for public news sites, but it’s still important for health care. Where does it sit on AAMI’s radar today?
AAMI has a number of standards related to cybersecurity, and we have one technical information report that is fundamentally a guide and baseline for some of our subsequent cyber standards. Cybersecurity is a truly complex issue for the medical technology community. For manufacturers, it has meant ensuring that devices would continue to function as intended, even in the event of a security breach, so that patient safety would not be adversely affected. From that perspective, security risks are primarily a safety risk.
Health care providers, who manage patient data and the networks, are also worried about patient safety, but they have to worry, as well, about data security based on the HIPAA regulations and ensuring patient data confidentiality is not compromised. So security risks around that particular issue are also privacy risks.
“Bad actors” have appeared in recent years who attack medical devices or health IT networks maliciously. As was the case with WannaCry and ransomware attacks, there’s also a risk associated with the whole clinical enterprise being able to carry out its business. So we really approach the cybersecurity challenge from multiple directions. Because of the merging of digital environments in health care delivery organizations, where all things digital end up being connected on a network, we deal with the security, the privacy and the enterprise risks all at the same time. Our overall goal is really to align these different perspectives and the risk tolerances that go with them, and then try to facilitate a means of managing and responding to each of those different types of risks. There’s no real single solution that works for everybody – the device manufacturers, the network managers, or for that matter, the entire enterprise. But we try to use all the tools that we have to meet each of their needs.
HCB News: Over the last 12 months, we've seen a lot of movement on the FDA's investigation into third-party equipment service, and two fairly polarized viewpoints on the issue. AAMI has done a valiant job of maintaining neutrality in this ongoing debate. What is your message to stakeholders firmly planted on either side of the conversation?
I appreciate the compliment, that’s what we try to do. As you probably know, we don’t lobby. Our stakeholders are from different areas, and our neutrality allows us to bring them together and try to get them to work together. If they come to the table and are willing to truly talk and negotiate, I think there’s a way to work this out. On the other hand, if different parties are stuck in a position where they’re not willing to negotiate, I think that we ’ll continue to see the problem until there are legal challenges and case law to set the precedents that move things forward. We have been looking at a way to bring the parties together and get some work done toward a solution. However, it’s my role to make a judgement on whether or not the parties will come together and earnestly negotiate in good faith, because I can’t waste our members’ resources on efforts that don’t look like they’ll succeed. That’s been our message so far. We’ve spoken with the FDA and had conversations with all of the parties engaged in this discussion, and I’m really waiting to see if there’s going to be a point where everyone is willing to negotiate.