Feb 1, 2016

The lock and key question: the security of medical technology


"The opportunity to raise the quality of life is the biggest business opportunity," said President Paul Kagame, Republic of Rwanda, at The World Economic Forum (WEF) 2016 last week. Every day, and across every industry, new technologies are being developed and it's easy to see how these advances are reshaping how we live our lives and manage our health.

At the WEF, NHS England's Chief Executive Simon Stevens announced the launch of a new wave of innovation called 'Test Beds.' Seven programmes across different NHS Trusts to explore how medical technology and medical devices can help people self-manage conditions. Developments such as wearable technology show how the future of healthcare is changing - we're no longer looking for the next big miracle cure, but integration of technology to prevent, detect and manage our health issues.

This new commitment to medical technology however, comes with concerns. In the same week, the American FDA released a report warning the manufacturers to tighten security of such technology, as hacking is an ever more prominent worry. With the increased connectivity of health technology; ability to share data across platforms and the capacity to explore health trends using real life information, the risks to healthcare settings, providers and patients are abundant.

Many medical devices run on operating systems with a relatively low level of security - think Window's XP. So one recommendation from the FDA is that creators of medical technology monitor their devices for the duration of their availability on the market. That's fine in theory, surely most companies would like continual data on performance, usage and results - after all, the constant demand for new technological innovation requires ongoing R&D cycles.

In practice though, what does this continuous monitoring mean for those who make the medical devices? Firstly there is cost; will they be elective or obligatory upgrades? If elective, what price will healthcare systems around the world be willing to place on the security of systems that may not have a problem? If obligatory, will implementing these security upgrades suggest that the systems in their current form aren't safe and therefore cause panic and distrust among their customers?

One solution is a Coordinated Vulnerability Disclosure Policy (CVDP), which allows a third party who finds a security problem in medical technology to assist the device manufacturer to resolve the issue before publically announcing or releasing any communications about the flaw. In healthcare, distrust of technology that a person has come to rely on could have detrimental and severe consequences, so being able to rectify security issues initially can help prevent those using the technology whether HCP or a patient - from making uniformed and potentially life-threatening decisions.

The CVDP is precautionary and establishes a process for quick reactions from a manufacturer. But it also raises the issue of Intellectual Property - when it comes to advances in medical technology, in order to keep patients and hospital systems safe, what should be shared, and what should remain under lock and key? Communicating the need for such precautions can pose many questions, and requires strategy to do what medical technology does for its users; prevent, detect and manage.

Here at ROAD Communications, our medical PR team frequently discuss how technology influences our lives, making the things we need more convenient, healthier, safer or frankly cooler. Behind every new bit of technology that sparks a chat along the lines of, "Did you hear about the new..." there is a company driving change and there's a communications team dispersing it. And if people, healthcare systems, governments and economies can all benefit from advances in medical technology then everyone is a winner.

Image from: Designed by Freepik