The 10 Most Innovative Companies Bringing AI to Healthcare The 10 Most Innovative Companies Bringing AI to He | Page 35

Finally, the third culprit in our trio is the facilities who
refuse to update their devices. Believe it or not, there are
still medical devices in use today that are running Microsoft
XP as their operating system. This OS became unsupported
in April of 2014, which means for the past 4 plus years, any
new Microsoft based attacks would find an open door to
those devices. Again, to be fair, a significant reason these
devices haven’t been upgraded is because the cost to small
and rural facilities is prohibitive. Many of these smaller
organizations, like solo providers, are struggling to stay
above water in our new healthcare environment. The
thought of spending $200,000 or more on a new X-Ray
machine, for example, is beyond their reach and reason.
This particular issue doesn’t have a simple fix.
software development team to add the soft layer on top of a
device is no longer valid. Gone are the days when an
offshore software team can be hired, given a functional
specification, and then be released once the project is
completed. Now, medical device manufacturers need to
bring software development in house and incorporate it into
the design cycle as early as possible. Likewise, the
firmware team needs to stay intact post development and
work closely with the software team to coordinate patches
and updates on an ongoing basis. Needless to say, these
teams aren’t cheap, nor is this talent easy to come by. As a
result, it’s going to take some time for medical device
manufacturers to get the right teams in place and to adjust
their business models to account for the increased overhead
they present.
What was left off the list?
Many industry insiders grew accustomed to blaming the
bureaucratic morass as their reason for not developing and
pushing out updates to their devices. However, as far back
as 2005 the FDA began making allowances for security
related patches and updates and this year again issued an
update to this policy with the intent to streamline the
process. Frankly, we can’t accuse the FDA of standing in
the way on this issue.
We also omitted the fact that few IoT devices communicate
their data over encrypted channels. This includes medical
devices. Citing the Ponemon study, only a third of device
makers built encryption into their devices and few
healthcare facilities were deploying it on their own IoT
devices. While the percentages have likely
improved since the study was published, those
devices, and the thousands produced before
them, are still in use and will be in use for years
to come. Lack of encryption of data in transit
and data at rest violates a HIPAA
recommendation and can be a source of fines
from the Office for Civil Rights (OCR), so it
should be implemented wherever possible.
Like all things cybersecurity related, the manufacturers can
do everything right, but a secure environment is as much
dependent on the training of the workforce as the hardware
itself. Even today, despite the security holes that exist in the
bulk of the currently deployed medical devices, the greatest
source of breaches originate at the user level.
Ultimately, the costs of this shift will be borne by the
consumers through increased costs of care. We can hope
that more vigilant cybersecurity efforts will leverage down
the risks involved, but unfortunately this new business
model is here to stay.
What needs to change?
Due to these increased vulnerabilities, a
paradigm shift is required and it’s as significant
as the technological advancements that led to
them. The traditional way of contracting with a
DECEMBER 2018
33