Medical devices play a critical role in diagnosis, treatment and rehabilitation of disease and illness. According to estimates, over 50,000 medical devices are in use on a daily basis in healthcare facilities all over the world. Some of them are simple, while others are quite complex and combine more than pone technology. The global market of medical devices is estimated at US$150 billion, and is expected to grow at a rate of 5 per cent annually over the decade.
A critical resource in the healthcare ecosystem
Medical devices are tangible assets that need to be maintained properly. They require a lot of investment, have a direct effect on human lives, are very sensitive, have high maintenance costs in a lot of cases, and some of them have short shelf lives. According to estimates by the World Health Organization (WHO), over 50 per cent of the medical equipment in developing countries are non-functional, are not used correctly, and are not maintained by health facilities. Not only does it have far-reaching consequences for healthcare service delivery, it is also a waste of scarce and valuable resources. Unless hospitals have a proper policy in place for the management of medical devices, it is difficult to aright the situation.
This problem is further compounded by the fact that most hospitals fail to utilise the full potential of the technology that is currently available. If you pay attention to the depreciation value of medical devices from procurement to use, you will notice that it is highly non-typical. On an average, 30 per cent of depreciation occurs because of incorrect specifications and over-sophistication before the device is put to use. The value depreciates even further once it is in use due to a number of reasons. These include, but are not limited to irrational use, shortage of spare parts, lack of inspection and preventive maintenance, and repair agreements with the supplier. Owing to all these factors, the value of a device falls to about a tenth of the original investment.
As a critical component of clinical and support technologies in the healthcare ecosystem, medical equipment must be managed and used properly to produce effective medical intervention. Unfortunately lack of an optimal skill base, proper selection and acquisition, maintenance and repair budget, support infrastructure, and managerial skills result in a waste of meagre resources, especially in healthcare facilities in tier 2 and tier 3 cities. Despite the huge amounts of money that is spent on medical devices, resource management is not considered an integral component of hospital policy. This is a major oversight on the part of hospitals as it fails to factor in future financial liabilities. It is not sustainable in the long run, considering the fact that medical device design is rapidly evolving with advancements in technology. These developments pose a new set of threats, which unless addressed beforehand, will end up becoming costly for both hospitals and patients, severely harming the reputation of the former and the safety of the latter. Medical devices fail for a number of reasons and all possible causes must be taken into consideration.
The Food & Drug Administration (FDA) of the United States has released countless warnings regarding the common vulnerabilities that plague medical devices. These vulnerabilities pose a threat to patient safety. The list not only include magnetic resonance imaging (MRI) machines and computed tomography (CT) scanners, but also other medical devices like infusion pumps, electrocardiogram (ECG) machines, and lab analysers to name a few. What complicates the situation further is the fact that clinical systems are increasingly connected to smart devices, which makes them prone to cyber attacks. If hackers or vested interests manage to tamper with the medical devices, it endangers the lives of patients.
What makes medical devices risk-prone?
Updating medical equipment is a complicated process. Hospitals often take a lot of time before they receive the final patches. The heavy patient load also means that they have to wait to apply the patches to the equipment. To add to the woes, many healthcare facilities operate legacy systems that no longer support the new patches. A lot of medical devices have to be retrofitted for networking purposes, facilitating real time data sharing and process automation so that the device can be managed remotely by the vendors. It is essential for healthcare providers to prioritise this because if a product is not receiving updates to fix vulnerabilities, it can give unscrupulous elements an entry point into the provider’s network, which can put patient safety at risk.
Rogue hackers can also intrude the internal network of hospitals and take control of connected devices and steal sensitive data. One of the most famous examples in recent memory was the WannaCry ransomware attack of 2017, which targeted National Health Services (NHS) hospitals in Scotland and England, affecting close to 70,000 medical devices. Many NHS services refused emergency cases, and even ambulances had to be diverted. If not for the built in kill switch, the magnitude of the attack would have been a lot worse. Another study found that 36 out of every 10,000 heart attacks occurred every year as a result of cyber attacks that caused a delay in treatments. According to the researchers, it took approximately 3 minutes for patients who suffered a heart attack to get an electrocardiogram after a cyber attack.
Even a simple intrusion into a hospital’s IT network can have a negative impact on the regular operations of medical devices because of their inherent vulnerability. As a matter of fact, it does not even require specialised expertise or sophisticated software to get the job done. Even a reasonably educated patient can learn about the control codes of machines and hack into these Devices. There is no denying that this is a serious risk that is only set to increase in magnitude in future.
The need for transparency
Another dimension to the problem is the lack of accurate repository and documentation of device failure. Healthcare providers fail to monitor the performance of medical devices and report the problems in time. Even if we somehow manage to build a report of injuries caused by device malfunctions, it will be difficult to tell how many of the faults were caused due to network tampering. Moreover, medical device failures fall between IT departments and biomedical engineering. So unless healthcare facilities are prepared to make the information public, it is difficult to get a realistic assessment of the impact.
To address this problem, healthcare facilities must maintain a central repository of all the medical devices. Automated systems can be used to maintain an up to date inventory. Clinical workflows must incorporate the role of medical devices to estimate the impact of malfunctioning devices on the quality of patient care. The system must also be used to monitor device communications to identify anomalies in case of an intrusion.
Healthcare providers are gradually becoming aware of the need to secure medical devices. Only after we establish clear systems and methods for analysing device failures will be begin to have a full idea of the risks involved. Once we have better visibility and control over the functional aspects of medical devices, healthcare facilities will be able to better safeguard the safety of their patients and ensure continuity of treatment