Anura S. Fernando, chief innovation architect, medical systems interoperability and security, at UL, agreed that the healthcare industry still has a long way to go to provide even better-than-average security in connected devices. But he said one reason security tends to be uneven because not all facilities are as well-funded as others.
“Many hospitals and healthcare centers have very strong security policies and practices,” he said. “But small, independently run, rural clinics have to deal with the same security issues as large healthcare delivery networks, budgets, access to skilled workforce, and many other factors.”
There is also the reality that change will not happen quickly. Most medical devices are made to operate safely for years, sometimes decades. Consequently, many of those now in use were never intended to be connected to the internet.
That means the provisions of UL 2900-2-1, which call for the elimination of hard-coded passwords, among other things, will take considerable time to become mainstream.
Trowell noted that devices being designed for release this year “were being designed about three to seven years ago. This means that the best-case scenario is that a larger number of the devices arriving next year will have been designed with the suggestions made by UL 2900-2-1 in effect.”
Fernando said things are moving toward better security. The adoption of UL 2900-2-1 “by regulators around the world such as the U.S. FDA, Health Canada, Australian TGA, etc., has started to drive some alignment in the global approach to generating objective, test-based evidence supporting manufacturers security claims.”
The hope, he said, is that this will mean that “innovative new healthcare technologies can reach the patient bedside more quickly.”