By Robin Faut
At the hospital where I work, we recently received a field recall for an operating room device. While I will withhold the name of the company and device, the recall was titled “Field Cybersecurity Routine Update and Patch Notice.” The title of this notice intrigued me as, to the best of my knowledge, this device has no network connection, holds no patient data, and transfers no data to any other system. I am writing this article as an objection to the potentially misleading wording of the title for this routine patch notice.
Before I get started, let me explain my position and experience. I have been a biomedical technician for over 20 years, and I was a computer systems analyst for five years before that. Beyond the associate degree needed to become a biomed tech, I hold a master’s degree in network security, as well as CBET certification and several IT certifications. As a biomed tech, I am currently working with connectivity of medical devices to networks.
Now, back to the patch notice. As mentioned above, the notice uses the term “cybersecurity.” As also mentioned above, the intended device does not connect to any network or other device. It does have a disposable accessory that is often “reprocessed” by third parties and a trunk cable to that disposable which has a limited life. This being the case, how can this device have a “cybersecurity” issue? First, let me give the defense of the company and notice.
I got my hands on a used disposable and cable for the device at end-of-life and tore them apart. I found that the cable had a chip in the plug that I assume is a use counter. (I was not able to get numbers off this chip, but it only had contacts to the main unit.) I found no reason for upgrade of cybersecurity there. I next tore apart the disposable, and I found two chips in the handle that communicate through two wires through the trunk cable to the unit. Researching the chip showed that they were “communication” CPUs with in-chip instruction sets and memory. These are intended to communicate the depression of the four buttons on the disposable handle, and here is where there is a possible defense of the notice.
One CPU slaves to the other CPU, which communicates to the main unit through two wires. This means it is a serial communication that could go both ways. This communication can be encrypted to ensure single use and that the correct disposable is connected to the unit. The assumption of communications being encrypted is backed by the notice referencing a posting (ICSMA-17-332-01) on the website ICS-Cert.US-Cert.gov. It appears that the main unit has a limited memory for the encryption key used, which allows for the reprocessing of the disposables. As this is communication between a CPU chip and the main unit in a likely encrypted manner, this can be argued as “cybersecurity.”
Now, let me blow holes in this. Cybersecurity is the endeavor of creating security of one’s property (physical, electronic and intellectual) in cyberspace – or, as defined by the Oxford English Dictionary, “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.” “Cyberspace” is defined by the Oxford English Dictionary as “the notional environment in which communication over computer networks occurs.” Based on these definitions and concepts, what possible “cybersecurity” issues can there possibly be with this piece of equipment? It does not communicate with other devices over any kind of a network. It does not reside in “cyberspace” in any way. The only data it might collect and hold is the keys of used disposables. Any security on the programming and/or design of the unit is already out in the world and not retrievable. The disposable neither gathers nor holds data on the patient, or the notice would be for the disposables. The only plausible purpose for this notice is to do an update to the unit to prevent reprocessing of disposables (and the notice does state that reprocessed disposables will not work after the update). That leads me to believe that the only reason for using the term “cybersecurity” is to scare users into doing the update.
What bothers me about the wording of the patch notice is that it appears to be essentially scaring hospitals and doctors into doing an upgrade to monopolize business. These units were purchased with the understanding that reprocessing was available. Now, the manufacturer is changing the rules and understanding of the users’ cost of ownership. If the unit was purchased with the up-front understanding that the use of reprocessed disposables was not going to be supported, it would not be an issue. However, the manufacturer originally offered reprocessing, only to later sell the reprocessing operation to another company. This is sort of like buying a maintenance program for the labor on your car and, halfway through the program, finding they no longer will use the oil you supply. Instead, they make you buy their brand, at twice the price of any other brand, by saying that the program cannot be responsible for the contaminant that other oils pick up in the environment.
Let us be frank: most hospitals barely break even financially. Most of the businesses that work with hospitals have a much higher profit margin than the hospital itself. So, rather than engaging in these blind-side tactics to get more money out of the part of the medical industry that is least profitable, manufacturers should be truthful and up front about the full cost of ownership and operation of their equipment, thus allowing hospitals to plan well enough to survive and ultimately buy more equipment.
– Robin Faut is a Biomedical Technician III/Device Connectivity for Olathe Health in Kansas.