ORLANDO – Who's responsible when a medical device breaks down or is hacked – the manufacturer who made it or the healthcare provider who's using it?
The question isn't easy to answer, but it is sure fun to discuss. And as the daylong Medical Device Security Risks and Challenges Symposium kicked into gear Sunday morning at the Orlando County Convention Center, that conversation kept things lively.
"It's not about security," said Theresa Cullen, MD, chief medical information officer of the Veterans Health Administration. "It's about healthcare delivery in a secure fashion."
Cullen should know. An ER doctor by profession, she "lives with risk every day." And during her five years as CIO of the Indian Health Service, she once had to dispatch a helicopter down into the Grand Canyon to disconnect a device from the network.
Now she's dealing with 650,000 discrete medical devices in the VA, about 10 percent of which are hooked up to the network. So while she's worried about devices being used, she wonders if the companies that have designed those devices did their best to make sure they won't break down or be hacked.
That's Michael McNeil's job. As global product security and services officer for Philips Healthcare, he's concerned not only with the products now coming off the shelves, but with going back and finding ways to protect and secure the company's legacy devices.
Both Cullen and McNeil, who opened the HIMSS14 symposium as co-keynote speakers, said the answer to privacy and security lies in collaboration. And that should involve not only vendors and providers, but legal and regulatory agencies, standards organizations, even patients.
Is that happening?
Not really, said Dale Nordenburg MD, executive director of the Medical Device Innovation, Security and Safety Consortium (MDISS). "We still have a very significant silo problem here," he said.
"When we talk about collaboration, I'm not sure we're there yet," added Cullen.
O'Neill, who'd worked for Medtronic before moving to Philips, said device manufacturers understand "they're not just selling the box and moving on," and they have a responsibility to ensure their products – including legacy products – are safe and secure. That means keeping the lines of communication open with providers.
If security is an afterthought with providers, he said, "you're going to have problems, you're going to have issues, and that's on the manufacturers."
As the session wound down, Nordenburg looked out over the audience of roughly 100 people and asked if any physicians or risk compliance officers were present. No one raised a hand.
So collaboration is still on the horizon.
