Security, Safety, and Interoperability: Striking a Balance

Written by Kaeli Yuen

Recently, concern has been mounting over the security vulnerabilities of medical equipment. Studies have found that it is “insanely easy” to hack into medical devices, including drug infusion pumps, pacemakers, imaging machines, bluetooth-enabled devices, lab equipment, and many others. Digital medical records can also be altered remotely, disrupting appropriate care. It is clear that these security problems must be addressed, and there have been a few steps made toward that end. In July, the FDA issued its first warning about a medical device based on its risk for cyber attack. However, as medical technology becomes increasingly networked, this threat is fast outpacing the accompanying security requirements.

There is, surprisingly, somewhat of a silver lining to these security vulnerabilities. Tech-minded patients frustrated with the slow pace of innovation in medical technology have been able to hack their own devices to get personalized care. This is an example of the age-old conflict between security and usability, of which a classically cited example is password security. The more secure a password becomes (i.e. longer, more complex, and changed more often), the less usable it is. A very cumbersome password can drive the user to use workarounds (e.g. writing the password on paper) that compromise the intended security. However, despite the appearance that security and usability oppose one another, they can actually work symbiotically. In fact, focusing on one without paying attention to the other can be problematic. For example, an overly-secure insulin pump may hamper innovation that would allow for personalized care.

In healthcare, this tension between security and usability is complicated by the issue of patient safety, and augmented by the great demand for interoperability of systems to increase their usability.  Just as an infection may spread quickly through the body if it accesses the blood stream, the potential reach of a cyber attack is made much greater by increased interoperability of medical devices and digital records. And, just as our immune system must strike a delicate balance between protecting against invaders and avoiding autoimmunity, our challenge now in health IT is to strike an appropriate balance between security and usability of increasingly networked medical technology.

To that end, we can begin by examining other industries that have also faced this challenge. For example, a service that transfers funds digitally must be both secure and usable to be successful.  Venmo is one such service for transferring funds between friends, which has gained great popularity due to its  high usability: with just a few taps of a finger, funds can be transferred from one user to another. However, this high usability comes at a cost - Venmo lacks two-factor authentication, gives no warnings to users of suspicious activity, and is riddled with other security vulnerabilities. In contrast, PayPal offers a similar service that is slightly less usable but much more secure. Because PayPal was designed to support transactions on eBay between strangers, rather than transactions (presumably) between friends, its development required a lot of work toward securing the system. While it is not quite as convenient to use as its younger counterpart, Venmo, it comes pretty darn close.

The success of PayPal demonstrates that, though difficult, it is not impossible to make something both usable and secure. In healthcare, it is especially important to avoid tipping the balance too far in either direction, in order to achieve the ultimate goal of helping patients without hurting them.  And, with enough careful thought and effort on our parts, we can achieve this worthy end.

Akido Labs is a company that brings modern data management technology to hospitals. Learn more at www.akidolabs.com.