Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Somatix: Bringing Gesture Recognition to Healthcare

Posted on July 19, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The number and variety of sensors and tracking devices coming to healthcare is astounding. All of these devices are going to provide a platform for hundreds of innovative companies to build amazing software on top of all of this hardware that will really impact healthcare. It’s exciting to see.

I saw this in action first hand when I talked with Eran Ofir, CEO and Co-Founder of Somatix. What makes Somatix interesting is that they do their hand gesture tracking on any hardware. There are dozens of off the shelf wearable technologies from tech giants, high-end brands, sports leaders, and fashion brands which can be used together with Somatix.

Using these off the shelf technologies, Somatix does a pretty wide range of gesture detection including: smoking, eating, drinking (cold and hot), teeth brushing, walking, sleeping, shaving, medication intaking, and more. When you think about the sensors that are available in these commercial wearables, it’s not hard to see how this type of gesture detection is possible. Plus, these charts illustrate how different gestures register on wearables:

It’s not hard to imagine how this gesture recognition technology can be used in healthcare. It can detect sudden falls, medication adherence, immobility, sleeping habits, missed meals, low liquid consumption, smoking, and even neurological malfunctioning.

The question is what do you do once a certain action is detected? Somatix is doing some work in this area as well. Detecting the gesture is just the first step, but can work as a trigger to enable care providers to intervene with personalized messages and incentives to the patient. One of the areas where Somatix has seen success is in their SmokeBeat product which helps with smoking cessation.

As I look at the bigger picture, I could see hundreds of applications of this gesture technology in healthcare. So, I asked Eran if Somatix offered an API that would allow startup companies, health systems, payers, and other healthcare organizations to be able to incorporate this gesture recognition technology into their own applications. Unfortunately, they haven’t gone this route yet since they’re a relatively young company, but he saw that as a potential future opportunity. I hope they take that route since gesture recognition across all of these devices is a hard thing to build, but is a powerful thing that could benefit a wide variety of healthcare applications.

All in all, I was impressed by what Somatix has built. Plus, it was easy to see as they get more hand gesture data how they’ll be able to improve the accuracy of the gesture detection even more. Eran described how they’d seen this first hand with detecting smoking which they can now detect almost perfectly. While all of the gesture detection doesn’t have perfect accuracy it will get pretty close over time.

Healthcare still has a ways to go in figuring out how to turn gesture recognition into improved care, but it’s great to see companies like Somatix perfecting the recognition which will enable care providers to use that data to improve a patient’s health. Gesture recognition technology from Somatix is a great example of a building block of change that will transform healthcare as we know it.

An Interesting Overview Of Alphabet’s Healthcare Investments

Posted on June 27, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Recently I’ve begun reading a blog called The Medical Futurist which offers some very interesting fare. In addition to some intriguing speculation, it includes some research that I haven’t seen anywhere else. (It is written by a physician named Bertalan Mesko.)

In this case, Mesko has buried a shrewd and well-researched piece on Alphabet’s healthcare investments in an otherwise rambling article. (The rambling part is actually pretty interesting on its own, by the way.)

The piece offers a rather comprehensive update on Alphabet’s investments in and partnerships with healthcare-related companies, suggesting that no other contender in Silicon Valley is investing in this sector heavily as Alphabet’s GV (formerly Google Ventures). I don’t know if he’s right about this, but it’s probably true.

By Mesko’s count, GV has backed almost 60 health-related enterprises since the fund was first kicked off in 2009. These investments include direct-to-consumer genetic testing firm 23andme, health insurance company Oscar Health, telemedicine venture Doctor on Demand and Flatiron Health, which is building an oncology-focused data platform.

Mesko also points out that GV has had an admirable track record so far, with five of the companies it first backed going public in the last year. I’m not sure I agree that going public is per se a sign of success — a lot depends on how the IPO is received by Wall Street– but I see his logic.

In addition, he notes that Alphabet is stocking up on intellectual resources. The article cites research by Ernest & Young reporting that Alphabet filed 186 healthcare-related patents between 2013 and 2017.

Most of these patents are related to DeepMind, which Google acquired in 2014, and Verily Life Sciences (formerly Google Life Sciences). While these deals are interesting in and of themselves, on a broader level the patents demonstrate Alphabet’s interest in treating chronic illnesses like diabetes and the use of bioelectronics, he says.

Meanwhile, Verily continues to work on a genetic data-collecting initiative known as the Baseline Study. It plans to leverage this data, using some of the same algorithms behind Google’s search technology, to pinpoint what makes people healthy.

It’s a grand and somewhat intimidating picture.

Obviously, there’s a lot more to discuss here, and even Mesko’s in-depth piece barely scratches the surface of what can come out of Alphabet and Google’s health investments. Regardless, it’s worth keeping track of their activity in the sector even if you find it overwhelming. You may be working for one of those companies someday.

“Shadow” Devices Expose Networks To New Threats

Posted on June 4, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new report by security vendor Infoblox suggests that threats posed by “shadow” personal devices connected to healthcare networks are getting worse.

The study, which looks at healthcare organizations in the US, UK, Germany, and UAE, notes that the average organization has thousands of personal devices connected to their enterprise network. Including personal laptops, Kindles and mobile phones.

Employees from the US and the UK report using personal devices connected to their enterprise network for multiple activities, including social media use (39%), downloading apps (24%), games (13%) and films (7%), the report says.

It would be bad enough if these pastimes only consumed network resources and time, but the problem goes far beyond that. Use of these shadow devices can open up healthcare networks to nasty attacks. For example, social media is increasingly a vector of malware infection, where bad actors launch attacks successfully urging them to download unfamiliar files.

Health IT directors responding to the study also said there were a significant number of non-business IoT devices connected to their network including fitness trackers (49%), digital assistants like Amazon Alexa (47%), smart TVs (46%), smart kitchen devices such as connected kettles of microwaves (33%) and game consoles such as the Xbox or PlayStation (30%).

In many cases, exploits can take total control of these devices, with serious potential consequences. For example, one can turn a Samsung Smart TV into a live microphone and other smart TVs could be used to steal data and install unwanted apps.

Of course. IT directors aren’t standing around and ignoring these threats and have developed policies for dealing with them. But the report argues that their security policies for connected devices aren’t as effective as they think. For example, while 88% of the IT leaders surveyed said their security policy was either effective or very effective, employees didn’t even know it was in effect in many cases.

In addition, 85% of healthcare organizations have also increased their cybersecurity spending over the past year, and 12% of organizations have increased it by over 50%. Most HIT leaders appear to be focused on traditional solutions, including antivirus software (60%) and cybersecurity investments (57%). In addition, more than half of US healthcare IT professionals said their company invests in encryption software.

Also, about one-third of healthcare IT professionals said the company is investing in employee education (35%), email security solutions and threat intelligence (30%). One in five were investing in biometric solutions.

Ultimately, what this report makes clear is that health IT organizations need to reduce the number of unauthorized personal devices connected to their network. Nearly any other strategy just puts a band-aid on a gaping wound.

Health IT Leaders Spending On Security, Not AI And Wearables

Posted on December 18, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

While breakout technologies like wearables and AI are hot, health system leaders don’t seem to be that excited about adopting them, according to a new study which reached out to more than 20 US health systems.

Nine out of 10 health systems said they increased their spending on cybersecurity technology, according to research by the Center for Connected Medicine (CCM) in partnership with the Health Management Academy.

However, many other emerging technologies don’t seem to be making the cut. For example, despite the publicity it’s received, two-thirds of health IT leaders said using AI was a low or very low priority. It seems that they don’t see a business model for using it.

The same goes for many other technologies that fascinate analysts and editors. For example, while many observers which expect otherwise, less than a quarter of respondents (17%) were paying much attention to wearables or making any bets on mobile health apps (21%).

When it comes to telemedicine, hospitals and health systems noted that they were in a bind. Less than half said they receive reimbursement for virtual consults (39%) or remote monitoring (46%}. Things may resolve next year, however. Seventy-one percent of those not getting paid right now expect to be reimbursed for such care in 2018.

Despite all of this pessimism about the latest emerging technologies, health IT leaders were somewhat optimistic about the benefits of predictive analytics, with more than half of respondents using or planning to begin using genomic testing for personalized medicine. The study reported that many of these episodes will be focused on oncology, anesthesia and pharmacogenetics.

What should we make of these results? After all, many seem to fly in the face of predictions industry watchers have offered.

Well, for one thing, it’s good to see that hospitals and health systems are engaging in long-overdue beefing up of their security infrastructure. As we’ve noted here in the past, hospital spending on cybersecurity has been meager at best.

Another thing is that while a few innovative hospitals are taking patient-generated health data seriously, many others are taking a rather conservative position here. While nobody seems to disagree that such data will change the business, it seems many hospitals are waiting for somebody else to take the risks inherent in investing in any new data scheme.

Finally, it seems that we are seeing a critical mass of influential hospitals that expect good things from telemedicine going forward. We are already seeing some large, influential academic medical centers treat virtual care as a routine part of their service offerings and a way to minimize gaps in care.

All told, it seems that at the moment, study respondents are less interested in sexy new innovations than the VCs showering them with money. That being said, it looks like many of these emerging strategies might pay off in 2018. It should be an interesting year.

Health Data Tracking Is Creeping Into Professional Sports

Posted on October 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Pro athletes are used to having their performance tracked minutely, not only by team owners but also by legions of fans for whom data on their favorite players is a favored currency. However, athletic data tracking has taken on a shape with the emergence of wearable devices.

For example, in spring of last year, Major League Baseball approved two devices for use during games, the Motus Baseball Sleeve, which tracks stress on elbows, and the Zephyr Bioharness, which monitors heart and breathing rates, skin temperature and sleep cycle.

In what must be a disappointment to fans, data from the devices isn’t available in real time and only can be downloaded after games. Also, clubs use the data for internal purposes only, which includes sharing it with the player but no one else. Broadcasters and other commercial entities can’t access it.

More recently, in April of this year, the National Football League Players Association struck a deal with wearables vendor WHOOP under which its band will track athletes’ performance data. The WHOOP Strap 2.0 measures data 100 times per second then transmits the data automatically to its mobile and web apps for analysis and performance recommendations.

Unlike with the MLB agreement, NFL players own and control the individual data collected by the device, and retain the rights to sell their WHOOP data through the Players Association group licensing program.

Not all athletes are comfortable with the idea of having their performance data collected. For example, as an article in The Atlantic notes, players in the National Basketball Association included the right to opt out of using biometric trackers in their latest collective-bargaining agreement, which specifies that teams requesting a player wear one explain in writing what’s being tracked and how the team will use the information.  The agreement also includes a clause stating that the data can’t be used or referenced as part of player contract negotiations.

Now, it’s worth taking a moment to note that concerns over the management of professional athlete performance data file into a different bucket than the resale of de-identified patient data. The athletic data is generated only during the game, while consumer wearables collect data the entire time a patient is awake and sometimes when they sleep. The devices targeting athletes are designed to capture massive amounts of data, while consumer wearables collect data sporadically and perhaps not so accurately at times.

Nonetheless, the two forms of data collection are part of a larger pattern in which detailed health data tracking is becoming the norm. Athletic clubs may put it to a different purpose, but both consumer and professional data use are part of an emerging trend in which health monitoring is a 24/7 thing. Right now, consumers themselves generally can’t earn money by selling their individual data, but maybe there should be an app for that.

Costs Of Compromised Credentials Rising

Posted on March 3, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare organizations face unique network access challenges. While some industries only need to control access by professional employees and partners, healthcare organizations are increasingly opening up data to consumers, and the number of consumer access points are multiplying. While other industries face similar problems – banking seems particularly relevant – I don’t know of any other industry that depends on such a sophisticated data exchange with consumers to achieve critical results.

Given the industry’s security issues, I found the following article to be quite interesting. While it doesn’t address healthcare concerns directly, I think it’s relevant nonetheless.

The article, written by InfoArmor CTO Christian Lees, contends that next-generation credentials are “edging toward a precarious place.” He argues that because IT workers are under great pressure to produce, they’re rushing the credentialing process. And that has led to a lack of attention to detail, he says:

“Employees, contractors and even vendors are rapidly credentialed with little attention given to security rules such as limiting access per job roles, enforcing secure passwords, and immediately revoking credentials after an employee moves on…[and as a result], criminals get to choose from a smorgasbord of credentialed identities with which to phish employees and even top executives.”

Meanwhile, if auto-generated passwords are short and ineffective, or so long that users must write them down to remember them, credentials tend to get compromised quickly. What’s more, password sharing and security shortcuts used for sign-in (such as storing a password in a browser) pose further risk, he notes.

Though he doesn’t state this in exactly these words, the problem is obviously multiplied when you’re a healthcare provider. After all, if you’re managing not only thousands of employee and partner credentials, but potentially, millions of consumer credentials for use in accessing portal data, you’re fighting a battle on many fronts.

And unfortunately, the cost of losing control of these credentials is very high. In fact, according to a Verizon study, 63% of confirmed data breaches happening last year involved weak, default or stolen passwords.

To tackle this problem, Lees suggests, organizations should create a work process which handles different types of credentials in different ways.

If you’re providing access to public-facing information, which doesn’t include transaction, identifying or sensitive information, using a standard password may be good enough. The passwords should still be encrypted and protected, but they should still be easy to use, he says.

Meanwhile, if you need to offer users access to highly sensitive information, your IT organization should implement a separate process which assigns stronger, more complex passwords as well as security layers like biometrics, cryptographic keys or out-of-band confirmation codes, Lees recommends.

Another way to improve your credentialing strategy is to associate known behaviors with those credentials. “If you know that Bill comes to the office on Tuesdays and Thursdays but works remotely the rest of the week and that he routinely accesses certain types of files, it becomes much harder for a criminal to use Bill’s compromised credentials undetected,” he writes.

Of course, readers of this blog will have their own strategies in placefor protecting credentials, but Lee’s suggestions are worth considering as well. When you’re dealing with valuable health data, it never hurts to go that extra mile. If you don’t, you might get a visit by the HIPAA police (proverbial, not actual).

Patient Misidentification Remains Common

Posted on February 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The following information was released several weeks ago, but I just found it and thought readers would still find it relevant. The research, from security researcher Ponemon Institute, concludes that patient misidentification is relatively common and continues to impact patient safety and experience.

Late last year, Ponemon surveyed 503 healthcare professionals from across the US, including nurses, physicians, IT practitioners and leaders in financial operations, on the frequency and root causes of patient misidentification, as well as the consequences.

According to the researchers, 86% of respondents said they’d witnessed or know of medical errors resulting from patient misidentification. And 67% said that when searching for patient information, they find duplicate medical records for that patient almost all of the time. Along the way, about three-quarters of respondents agreed that use of biometrics could reduce patient misidentification and by extension, cut down on medical errors.

The most common root cause of patient misidentification was incorrect identification at registration (chosen by 63%), followed by time pressure when treating patients (60%), insufficient employee/clinician training and awareness (35%), too many duplicate medical records in system (34%), registrar errors (32%), turf wars between departments (29%), inadequate safety procedures (20%), over-reliance on homegrown or obsolete identification systems (15%) and misinformation provided by patient (9%). (The remaining 3% was reported as “other”.)

The key causes of misidentification named in the survey included the inability to find a patient’s chart or medical record (68% of respondents), a search or query which brings up multiple or duplicate medical records for a patient (67%), patient associated with incorrect records due to same names and/or dates of birth (56%), or having the wrong record pulled up for a patient because another record in the registration system or EMR has the same name and/or date of birth (61%).

Not surprisingly, the survey also suggests that widespread patient misidentification can have a serious financial impact. On average, Ponemon says, respondents said that more than one-third of all denied claims resulted directly from an inaccurate patient identification or inaccurate/incomplete information. This costs the average healthcare facility $1.2 million per year, they reported.

Meanwhile, patient identification problems have a negative impact on patient experience, the survey concluded. Sixty-nine percent of respondents told researchers that staff spent up to or more than 30 minutes per shift contacting medical records or HIM departments to get critical patient information.

Not only that, misidentifying patients can have a ripple effect, with missing or incomplete information leading to patient care delays. Thirty-seven percent of respondents said that they spent an hour or more contacting medical records or HIM departments to get critical patient information.

FDA Weighs In On Medical Device Cybersecurity

Posted on January 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the past, medical devices lived in a separate world from standard health IT infrastructure, typically housed in a completely separate department. But today, of course, medical device management has become much more of an issue for health IT managers, given the extent to which such devices are being connected to the Internet and exposed to security breaches.

This has not been lost on the FDA, which has been looking at medical device security problems for a long time. And now – some would say “at long last” – the FDA has released final guidance on managing medical device cybersecurity. This follows the release of earlier final guidance on the subject released in October 2014.

While the FDA’s advice is aimed at device manufactures, rather than the health IT managers who read this blog, I think it’s good for HIT leaders to review. (After all, you still end up managing the end product!)

In the guidance, the FDA argues that the best way to bake cybersecurity protections into medical devices is for manufacturers to do so from the outset, through the entire product lifecycle:

Manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.

Specifically, the agency is recommending that manufacturers take the following steps:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices
  • Know assess and detect the level of risk vulnerabilities pose to patient safety
  • Establish a process for working with cybersecurity researchers and other stakeholders to share information about possible vulnerabilities
  • Issue patches promptly, before they can be exploited

The FDA also deems it of “paramount” importance that manufacturers and stakeholders consider applying core NIST principles for improving critical infrastructure cybersecurity.

All of this sounds good. But considering the immensity of the medical device infrastructure – and the rate of its growth – don’t expect these guidelines to make much of an impact on the device cybersecurity problem.

After all, there are an estimated 10 million to 15 million medical devices in US hospitals today, according to health tech consultant Stephen Grimes, who spoke on biomedical device security at HIMSS ’16. Grimes, a past chair of the HIMSS Medical Device Security Task Force, notes that one 500-bed hospital could have 7,500 devices on board, most of which will be networked. And each networked monitor, infusion pump, ventilator, CT or MRI scanner could be vulnerable to attack.

Bottom line, we’re looking at some scary risks regardless of what manufacturers do next. After all, even if they do a much better job of securing their devices going forward, there’s a gigantic number of existing devices which can be hacked. And we haven’t even gotten into the vulnerabilities that can be exploited among home-based connected devices.

Don’t get me wrong, I’m glad to see the FDA stepping in here. But if you look at the big picture, it’s pretty clear that their guidance is clearly just a small step in a very long and complicated process.

An Alternate Way Of Authenticating Patients

Posted on July 5, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Lately, I’ve been experimenting with a security app I downloaded to my Android phone. The app, True Key by Intel Security, allows you to log in by presenting your face for a scan or using your fingerprint. Once inside the app, you can access your preferred apps with a single click, as it stores your user name and passwords securely. Next, I simplified things further by downloading the app to my laptop and tablet, which synchs up whatever access info I enter across all devices.

From what I can see, Intel is positioning this as a direct-to-consumer play. The True Key documentation describes the app as a tool non-techies can use to access sites easily, store passwords securely and visit their favorite sites across all of their devices without re-entering authentication data. But I’m intrigued by the app’s potential for enterprise healthcare security access control.

Right now, there are serious flaws in the way application access is managed. As things stand, authentication information is usually stored in the same network infrastructure as the applications themselves, at least on a high-level basis. So the process goes like this, more or less: Untrusted device uses untrusted app to access a secure system. The secure system requests credentials from the device user, verifies them against an ID/PW database and if they are correct, logs them in.

Of course, there are alternatives to this approach, ranging from biometric-only access and instantly-generated, always-unique passwords, but few organizations have the resources to maintain super-advanced access protocols. So in reality, most enterprises have to firewall up their security and authentication databases and pray that those resources don’t get hacked. Theoretically, institutions might be able to create another hacking speed bump by storing authentication information in the cloud, but that obviously raises a host of additional security questions.

So here’s an idea. What if health IT organizations demanded that users install biometrically-locked apps like True Key on their devices? Then, enterprise HIT software could authenticate users at the device level – surely a possibility given that devices have unique IDs – and let users maintain password security at their end. That way, if an enterprise system was hacked, the attacker could gain access to device information, but wouldn’t have immediate access to a massive ID and PW database that gave them access to all system resources.

What I’m getting at, here, is that I believe healthcare organizations should maintain relationships with patients (as represented by their unique devices) rather than their ID and password. While no form of identity verification is perfect, to me it seems a lot more like that it’s really me logging in if I had to use my facial features or fingerprint as an entry point. After all, virtually any ID/PW pair chosen by a user can be guessed or hacked, but if you authenticate to my face/fingerprint and a registered device, the odds are high that you’re getting me.

So now it’s your turn, readers. What flaws do you see in this approach? Have you run into other apps that might serve this purpose better than True Key? Should HIT vendors create these apps? Have at it.

NIST Goes After Infusion Pump Security Vulnerabilities

Posted on January 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As useful as networked medical devices are, it’s become increasingly apparent that they pose major security risks.  Not only could intruders manipulate networked devices in ways that could harm patients, they could use them as a gateway to sensitive patient health information and financial data.

To make a start at taming this issue, the National Institute of Standards and Technology has kicked off a project focused on boosting the security of wireless infusion pumps (Side Note: I wonder if this is in response to Blackberry’s live hack of an infusion pump). In an effort to be sure researchers understand the hospital environment and how the pumps are deployed, NIST’s National Cybersecurity Center of Excellence (NCCoE) plans to work with vendors in this space. The NCCoE will also collaborate on the effort with the Technological Leadership Institute at the University of Minnesota.

NCCoE researchers will examine the full lifecycle of wireless infusion pumps in hospitals, including purchase, onboarding of the asset, training for use, configuration, use, maintenance, decontamination and decommissioning of the pumps. This makes a great deal of sense. After all, points of network connection are becoming so decentralized that every touchpoint is suspect.

The team will also look at what types of infrastructure interconnect with the pumps, including the pump server, alarm manager, electronic medication administration record system, point of care medication, pharmacy system, CPOE system, drug library, wireless networks and even the hospital’s biomedical engineering department. (It’s sobering to consider the length of this list, but necessary. After all, more or less any of them could conceivably be vulnerable if a pump is compromised.)

Wisely, the researchers also plan to look at the way a wide range of people engage with the pumps, including patients, healthcare professionals, pharmacists, pump vendor engineers, biomedical engineers, IT network risk managers, IT security engineers, IT network engineers, central supply workers and patient visitors — as well as hackers. This data should provide useful workflow information that can be used even beyond cybersecurity fixes.

While the NCCoE and University of Minnesota teams may expand the list of security challenges as they go forward, they’re starting with looking at access codes, wireless access point/wireless network configuration, alarms, asset management and monitoring, authentication and credentialing, maintenance and updates, pump variability, use and emergency use.

Over time, NIST and the U of M will work with vendors to create a lab environment where collaborators can identify, evaluate and test security tools and controls for the pumps. Ultimately, the project’s goal is to create a multi-part practice guide which will help providers evaluate how secure their own wireless infusion pumps are. The guide should be available late this year.

In the mean time, if you want to take a broader look at how secure your facility’s networked medical devices are, you might want to take a look at the FDA’s guidance on the subject, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software.” The guidance doc, which was issued last summer, is aimed at device vendors, but the agency also offers a companion document offering information on the topic for healthcare organizations.

If this topic interests you, you may also want to watch this video interview talking about medical device security with Tony Giandomenico, a security expert at Fortinet.