Since becoming more active in the Biohacking and Healthcare Security field, I have noticed many terms used interchangeably (and incorrectly!) to describe devices within a Hospital or other Health Care settings. For example: all devices within healthcare and medical are seen as a medical device and they are all equal and the same, both in importance and risk. This is a fundamentally flawed concept, the problem of clearly defining these devices to avoid confusion or misunderstanding is a complex and confusing one. I have spent months trying to decipher what is meant by the term medical device in different cases of the term being used.
The purpose of this article is to propose a more defined way of dividing these devices into categories making it easier to define, understand, and evaluate them. The saying goes KISS, that is that sometimes we should keep it simple, stupid. Often in Healthcare and Medical security we suffer from overcomplicating the easy problems and over simplifying the hard problems. I could name a few talks and podcasts related to Healthcare and Medical Security that have left me confused as to what exactly was being discussed.
The term Healthcare is one I closely associate with a hospital or clinical setting. These establishments have devices on their network that are often referred to as medical devices. This is technically not entirely incorrect, however, it can lead to confusion. On the devices which the Healthcare establishment has placed on the network to run specific software used for clinical review of results, or communicate with an MRI or X-Ray machine. These are almost entirely endpoints that are used for multiple purposes, of which clinical being one of these functions. There are also devices which have been created by a medical device manufacturer and connected to the network of the Healthcare establishment that runs device specific firmware on hardware that is often proprietary and manufactured by a third party. This begs the question:which of these is the true medical device?
My proposal is that the endpoint which was created, maintained, and run by the Healthcare establishment should not be labeled a medical device, these are Clinical Endpoints or, the terminology I most lean towards, Healthcare Endpoints. These devices are placed by the individual Healthcare entity and they are managed by the local operations teams. These devices are mostly built on consumer hardware, running consumer operating systems (predominantly Windows based devices) that run custom software. The manner they are installed and the level of access or privilege they have is in the hands of the team administering that network. These devices are almost always unregulated and each Hospital run their own flavor and implementation. The responsibility for these devices/endpoints lies in the hands of the Healthcare establishment. Contrast this with medical devices manufactured by Medical Device Manufacturers. Devices include patient monitors, insulin pumps, infusion pumps, robotic surgery aids, MRI, or X-ray machines. These are, and will always remain, the responsibility of the manufacturer. It is their responsibility to build a safe, secure, and functioning device. This group of devices are very regulated by the FDA and other similar entities across the world as well as often having to comply with various ISO, NIST, and other standards (how well – or poorly – these standards fare in their attempts to cater for security for medical devices will be covered in another article/post). Medical Devices remain the responsibility of the manufacturer to maintain by writing firmware updates. Because operationally these responsibilities fall into the hands of their manufacturer. This being said the Healthcare establishment that implements them onto their network carries some of the responsibility for ensuring that the way these devices are deployed is secure and does not compromise the patient.
We all carry some onus to understand the landscape. There needs to be clearly defined terminology used to differentiate between different types of devices and ensure that we understand what we need to take ownership of and what needs to be done by manufacturers. nce we understand what we are working with, we can start taking ownership for our individual parts and ensure that patients get the care they deserve, and ensure medical personnel can do their jobs with ease and peace of mind.
Certainly all medical devices are not the same or equal or face the same problems. I leave you with this last thought: Why do we apply the same logic for endpoints within a hospital to medical devices which are connected or embedded in a human?