It is somewhat ironic that Hospira and Cerner announced a new collaboration on Hospira’s infusion pumps and Cerner’s EHR given that Hospira has recently had more than its share of attention with respect to asserted LifeCare and Symbiq pump cybersecurity vulnerabilities. This attention included a notice from the Department of Homeland Security as well as from the FDA (here and here). I found it of interest that despite the widespread hype around these notices there has been no recall of these pumps for the related issues. Instead advice was given to transition away from their use, mitigate the risks by some technical changes, and await Hospira’s updates.
From the connectivity perspective it is noted that part of the advice was to “isolate” the LifeCare from the network and “disconnect” the Symbiq from the network. Many of you could address better than I how strong the difference is between isolate and disconnect. It seems to me disconnect is clearer and reflects what is perhaps the ultimate in hacking protection, i.e., not to use, be plugged into, be connected to, or communicate wirelessly with the internet, or of course other computers that are in turn connected to the internet. This “air gap” concept has been around for a long time and interestingly was the default when computers were in fact standalone machines (for those that can remember that era) and the internet didn’t or barely existed. Yet even with an a true air gap electromagnetic interference (EMI) is considered a problem in that a device could be interfered with, perhaps intentionally, even if that device had no deliberate communication potential.
Of course people can be the means to bridging the air gap and I have seen it reported that the easiest way to get someone to plug a rouge thumb drive into a “protected” computer is leave the drive on the ground in the parking lot for someone to find–and of course for them to then check out as soon as they sit down at their desk. In this regard I recently sat in the conference room of a major hospital system when the speaker’s thumb drive was plugged into the internet enabled presentation system and there was a pop-up message forbidding the use of an uncleared thumb drive. The solution? Click on CANCEL and the message went away allowing the drive to be used.
Systems users can do any number of other things to undo security systems. We have probably all seen the sometimes lame emails asking for our log in information, or with a link to click on. Despite how often people may be told not to respond to such things they still do so. An experiment has been reported in which a badly worded email claiming to be from IT but with an odd address was sent to employees asking them to click on an unfamiliar and weird sounding link. The number of takers was scary high.
But back to Hospira and Cerner. Part of the announcement was that the collaboration would enable enhanced two way communication. One direction was for the pump to send date to the Cerner EHR. This reflects what has already consumed too many resources and too much intellectual time and energy–getting medical devices to “talk to” EHRs.
The other communication direction discussed was perhaps more interesting. It will involve enabling orders entered in the EHR to result in automatic programming of the patient’s pump. Before undertaking remote auto-programming we should remember that associating a particular pump with a particular patient has been one of the challenges of easy connectivity. Similarly disassociating the pump from the patient at the appropriate time is also important. But association is not the only issue.
Auto-programming from the EHR opens a new potential avenue for hacking. While the prior pump hack stories focused on the pump itself, a new hack scenario here is to manipulate the pump by hacking the EHR and changing the pump control settings there, which in turn would reprogram the pump. If the hacker intended harm then this could be harmful, if it went undetected even briefly. Of course the partners here will assure us that they have taken (or will take) every precaution to make this difficult to do. But I don’t think one could say it would be impossible to do, noting that EHRs have already had there own security issues.
On the other hand we should not confuse a threat being theoretically possible with that threat being currently meaningful and necessarily of high priority. It is still necessary and appropriate to make rational judgments about what threats require what degree of attention, and by whom. But note that I have learned from personal experience that suggesting that a cybersecurity threat may not be of the highest priority can generate a great deal of vitriolic name calling by certain people in the cybersecurity space who think (pretend?) that the risks that they identify are the most important ones among all risks from whatever sources. This often coincides with them being in the business of offering products and services that address the risks that they assert are priority one.
The Hospira/Cerner plan also raises what may be an interesting FDA medical device regulatory issue. An infusion pump from Hospira is clearly a regulated medical device, and a new model might receive closer than normal FDA attention, especially given the buzz around cybersecurity both in general and with respect to Hospira. FDA’s guidance on addressing cybersecurity in premarket submissions might be noted in this regard. Of course here too cybersecurity is not the only issue, and not necessarily the most important issue when designing a controller for an infusion pump. EHRs on the other hand are not regulated as medical devices and therefore the pump programming portion of the EHR might not be regulated by the FDA, or anyone. Or the pump programming portion of the EHR might be an accessory to the pump which might mean it has to be included in Hospira’s FDA filing or later as an add on. Thus the pump controller might be a regulated component of the EHR while the rest of the EHR is not regulated.
It must be a general principle that the more connected you are the more hackable you potentially are, and having remote software automatically program an infusion pump based on human interaction with the EHR has to at least raise the hackability question. This observation does not mean that I think the hack problem is the biggest, most dangerous and most critical issue in the Hospira/Cerner plan. But it certainly must be an issue that deserves attention, especially to the degree that it is a pioneering enterprise.