Earlier this month I attended the Digital Medical Expertise & Applications (DMEA) 2019. The DMEA fair in Berlin (formerly conhIT) is the central platform for digital health care as it brings together companies of health IT, academic institutions, politics and healthcare delivery organizations in several format such as innovation hubs and talks during congress sessions as a part of the industry fair. I participated in a congress session about IT security in healthcare with a talk about medical device security and common security flaws in medical devices. Some of the aspects have also been covered in my talk at #TR19 .
As a follow-up of the very fruitful discussions between people from the car industry and medical device security folks in the IoT roundtable session from #TR19 I wanted to share my experiences and insights from the DMEA with you.
There are a plenty of different topics being discussed in the medical informatics community at the moment, such as digital transformation in care, standards and interoperability, innovative diagnostics, mHealth, artificial intelligence, digital patient records or the telematics infrastructure in Germany just to name a few. The event was opened by the German Federal Health Minister Jens Spahn. In his keynote, he once again called for a faster pace for the digital agenda for which he often is accused of going too fast.
“I think in two years we’re so far behind that it does not matter. We are at a time when it is very important that we catch up with what we have lost in recent years.”
Jens Spahn, DMEA Opening Keynote, April 9, 2019. Translated from German .
I agree that we need to increase the efforts in pushing digitization in Germany but I am also of the opinion that we need to do this in a reasonable way that includes well thought-out concepts as well as a basic understanding of what we really want and need to change in the near future instead of questioning well-proven concepts we developed for years that are on the way to be kicked off. Especially, as a proper security design is often missed when projects get in rush.
Another development I saw in Berlin is that more and more people are claiming that increasing security awareness in healthcare decreases the chances of a potential cyber-attack and offering cyber insurances for incidents. All the described cases were about ransomware and phishing attacks. Yes, in these cases, security awareness is important, but not your silver bullet, because they only represent a small area of security problems healthcare is facing. Reducing security risks is especially challenging. The healthcare environment is complex, and manufacturers and hospitals must work together to manage security risks.
We — as the security community — need to assist in solving human and technical security problems in the complex environment and should not help pushing security problems to healthcare professionals and providers.
Finally, I would be glad for input for a currently running research project:
We are performing ManiMed (Manipulating Medical Devices), a funded research project by the German Federal Office for Information Security (BSI). In this project we first analyze the market of recently marketed network-enabled medical devices. Afterwards, security assessments of selected devices as e.g. pacemakers, insulin pumps, patient monitors, syringe pumps, ventilators will be performed. This offers multiple opportunities:
In case you are a healthcare professional or patient: If you encountered a device that acted some kind of “weird” during for example a surgery or if your organization purchased new glittering network-enabled devices, we would be pleased for hints.
In case you are a manufacturer of medical devices: Feel free to contact us as well as we do not want to publicly blame anyone instead of taking the opportunity to take responsibility seriously and helping to increase the level of security of medical devices.
Thank you very much!
 Julian Suleder. Medical Device Security – Please (don’t) be patient. Troopers 19. Online: https://www.youtube.com/watch?v=0BYrmbvrpiQ. Last accessed: April 29, 2019.
 Jens Spahn. DMEA Opening Keynote. DMEA 2019. Online: https://www.youtube.com/watch?v=p3zwGRQ4ilQ. Last accessed: April 29, 2019.