Though cybersecurity is most closely associated with the IT department, the truth is that it affects and touches all aspects of an organization. Indeed, even the most devoted IT professionals would find themselves at a deficit if basic cyber hygiene is not practiced by the wider staff. This is especially true when it comes to the healthcare industry and the security of connected medical devices.
And while it is common practice for quality assurance teams to ensure the proper management of medical devices across all stages of the product lifecycle, cybersecurity is seldom part of that equation. That’s a problem. In the modern healthcare environment, medical device cybersecurity is as much a quality assurance issue as it is an IT issue.
The Internet of Medical Things (IoMT), the subset of IoT belonging specifically to healthcare and its supporting technologies, is becoming more common in modern hospitals. Each year, more connected devices are manufactured and deployed, expanding the already vast array of connected devices that many hospitals maintain. In fact, IoMT is growing at such a rate that it’s projected to reach a value of $400 billion by 2022.
As organizations embrace the Internet of Medical Things, there is a greater number of endpoints to securely manage and a higher level of knowledge required to do so. Addressing quality management and quality assurance in information security and data privacy requires a multi-pronged and multi-departmental effort focused on best practices, measurable performance indicators, and organizational change. Compromised connected devices could harm patient safety and patient data and tear asunder the quality of care.
What is Quality Assurance?
Quality assurance is the process of establishing set requirements governing operations and ensuring they are consistently followed to increase customer confidence and company reputation, while also improving workflow efficiency and delivering the highest quality product/service possible. Modern quality assurance began in the U.S. during World War II as a means of guaranteeing the quality of high volumes of munitions that were manufactured for the war effort. It has since evolved to cover a wide range of processes and industries.
Quality assurance differs from quality control in that it’s preoccupied with the holistic process, rather than individual outcomes or defects. While quality control addresses flaws and errors, quality assurance is focused on preventing flaws at the procedural level by consistently improving processes. Quality assurance standards are ever-evolving to meet the ever-changing demands of the marketplace. Quality assurance falls under the ISO 9000 family of standards, which specifies best practices for quality assurance processes across several industries.
Although quality assurance began in the manufacturing industry and remains closely associated with it, it’s a significant presence in a wide range of industries today. For example, in software development, quality assurance teams monitor the software engineering process to guarantee developers are adhering best practices (including ISO standards) and regulatory mandates.
Quality assurance in software development is vital to ensuring medical device manufacturers are producing devices that function flawlessly and in accordance with the many regulations governing their implementation and use. These issues are fundamentally entangled with cybersecurity. As Miguel Sancho rightly points out in his article entitled Hack to the Future, "new software typically launches with between 20% to 40% useless code. While that may seem like a pure quality assurance issue, it can quickly reverberate into the security space."
Of course, quality assurance doesn’t just exist in the premarket and is not chiefly about software. It’s about ensuring the quality of a product or service and when it comes to devices, that boils down to functionality. Does the device function as intended consistently and reliably under a reasonable range of conditions? The quality of software code affects functionality and so it’s naturally included within the purview of QA, but so does security.
Quality Assurance in the Healthcare Industry
In healthcare, reputation matters. And inevitably your reputation boils down to a matter of quality. This is not only because patient satisfaction and a hospital's track record increase a hospital’s appeal to prospective patients, but also because insurers tie reimbursement rates to treatment outcomes. Repeated readmissions can result in reduced payments from Medicare and Medicaid, for example, adding to the importance of quality assurance from a business standpoint.
To maintain a high standard of quality, hospitals deploy quality assurance teams, often working together with biomedical engineering personnel, and regulatory departments to assess and affirm the quality of tooling, instrumentation, and processes – with a mind toward improving effectiveness, reliability, and standardization throughout the operation.
Quality assurance professionals are charged with setting process and outcome goals and developing strategies to meet those goals; building on data-driven measurable performance indicators collected both before and after procedural changes are implemented.
Medical device quality assurance is so important that it has its own set of standards under ISO 13485:2016, according to which an organization “needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements." These standards extend across all stages of the medical device life-cycle, from the design, to the manufacturing, to the distribution, to the use and maintenance of connected medical devices.
The Intersection of Cybersecurity & Medical Device Quality Assurance
The quality of connected medical devices goes well beyond their hardware. The way in which a device is configured, used, and updated has significant bearing on the range and reliability of its performance capabilities and, as a result its quality.
If for example, a device is running an unpatched or unsupported version of Windows and has an open SMB port, it’s going to be potentially vulnerable to an attack the likes of WannaCry. That means that at any moment, without warning, that device could be rendered entirely useless. Alternatively, if you fail to properly configure a device’s port communications according to manufacturer specifications, the device’s remote telemetry may be affected. For a device such as a heart monitor, you’ll have impaired key functionality. If those don’t qualify as quality issues, it's hard to imagine what would.
It’s imperative that quality assurance professionals understand the cyber risk profiles of the connected medical devices operated by their organizations. ISO 8402 defines quality as “the totality of characteristics of an entity that bear upon its ability to satisfy stated and implied needs." To ensure quality, healthcare providers that rely on networked, connected devices to deliver care must also consider the consequences that cyber insecurity would have on their ability to satisfy the needs of their patients. By this definition, it’s undeniable that cybersecurity is part and parcel of quality assurance.
Despite this, cybersecurity is typically seen as something that exists apart from the mandate of quality professionals. This must change. We’re overdue for a view of quality assurance that holistically incorporates digital and cyber considerations. Just as quality assurance evolved to incorporate broader principles like Six Sigma that look at the entirety of the product development, life, and business cycle, so must it now begin to more seriously consider the overall product impact of software and digital environment quality — specifically as it relates to the product’s safety, security, and reliability.
Without properly implemented and maintained cybersecurity measures, every connected device in a hospital is quality liability. Out-of-date or improperly connected devices are a common path by which cyber-attackers can gain entry into your network. In healthcare, a compromised network not only avails an attacker to a sea of sensitive patient data (which is protected under laws like HIPAA), but also opens the door for attackers to manipulate medical devices – potentially putting patient lives at risk.
Given that quality assurance is a process designed to prevent flaws by constantly improving and adapting processes, quality assurance teams are uniquely suited to ensure the security of connected medical devices before they can be compromised.
Developing a Multi-Departmental Approach to Cybersecurity
For healthcare organizations to be able to deploy medical devices with any degree of confidence that they will work as designed and in line with both ethical and regulatory standards (without compromising patient safety, care, or privacy), they need to have a firm grasp of the device’s cyber risk profile.
In fact, according to CyberMDX data collected from more than 30 hospitals, a full 8% of connected medical devices are vulnerable to unauthorized remote code execution. Think about that for a moment. That means that at any given point in time a significant proportion of care-critical devices can be hijacked and made to function in a way other than designed. That's the epitome of a quality assurance issue.
Indeed, the world of quality assurance is primed to take its next great leap forward and enlightened healthcare organizations are ideally suited to lead the way. While they have many responsibilities, most of which have nothing to do with cyber, quality assurance teams need to at least partially see themselves as an on-the-ground extension of the IT team. And to do their jobs as best as possible, they need to be supported by the IT team with up-to-date cyber risk profiles for all connected devices.
Establishing a multi-departmental approach to cybersecurity means closely coordinating teams with different core missions – providing them with the right information and tools in real-time to see those missions through to completion.
To this end, healthcare delivery organizations must seek to maximize inter-departmental cooperation – between IT, Biomed, QA, and Accreditation & Compliance – in service of a comprehensive cybersecurity plan. This plan should include a 360-degree view of all connected medical devices on the network, as well as the use of automated tooling that delivers granular insights into the status of each device connected to the organization's network.
At the end of the day, with lives on the line, the cybersecurity of medical devices, it is every bit as much a matter of quality management as it is information technology.