Week Four
Hello! Welcome to this week's Ryan Report. Today, I will profile Stephanie Domas' piece that discusses cybersecurity patches for medical devices.
Domas describes a well-known concept in the security and information technology industry: applying updates and patches. However, there are significant differences between applying patches to a traditional IT system and a medical device that is providing life-sustaining care to an individual. Namely, there aren't literally lives on the line when applying patches to a Windows server.
Medical device updates are applied either by a healthcare clinical engineer or clinical security team, or by the patient themselves. Domas talks about Class II versus Class III medical devices, and suggests that the higher-risk Class III device patches should only be applied by a professional.
This leads in to her next point, the cost associated with updating medical devices. To date, there isn't a medical billing code for "cybersecurity updates." In some cases, medical device manufacturers are able and willing to cover update costs. However, more often than not, costs are incurred by healthcare providers.
Domas expresses concern that these costs may be prohibitive to the update process, and I tend to agree. At the very least, there is a definite lack of established schedule and procedure that healthcare organizations can follow to properly and safely patch patient-connected medical devices.
Domas describes a well-known concept in the security and information technology industry: applying updates and patches. However, there are significant differences between applying patches to a traditional IT system and a medical device that is providing life-sustaining care to an individual. Namely, there aren't literally lives on the line when applying patches to a Windows server.
Medical device updates are applied either by a healthcare clinical engineer or clinical security team, or by the patient themselves. Domas talks about Class II versus Class III medical devices, and suggests that the higher-risk Class III device patches should only be applied by a professional.
This leads in to her next point, the cost associated with updating medical devices. To date, there isn't a medical billing code for "cybersecurity updates." In some cases, medical device manufacturers are able and willing to cover update costs. However, more often than not, costs are incurred by healthcare providers.
Domas expresses concern that these costs may be prohibitive to the update process, and I tend to agree. At the very least, there is a definite lack of established schedule and procedure that healthcare organizations can follow to properly and safely patch patient-connected medical devices.
Comments
Post a Comment