What Healthcare Can Learn From Tesla...

In recent media coverage, hackers have been able to remotely control a SUV.  This is just one of four targeted car hacks!  I couldn’t help but think of the car chase scene in Tomorrow Never Dies!  What’s the next target, Airplane engines?

 I think the Healthcare and Automotive industry are in a similar place in the Cybersecurity space.  It is not a happy place.  I have been writing medical grade software for GE for over 10 years.  Before that, fresh out of college, I worked for GM.  I still remember the CANBUS training they sent me to over 20 years ago, which is now the focus of many of these hacks.  I see a lot of parallels in both the industries:

  • Highly Regulated
  • Long Development Cycles
  • Cybersecurity targets

Highly Regulated

Because of the potential for safety issues, both industries are highly regulated.  Both the FDA and NHTSA have no lack of standards and guidance documents!  They both have the power to enforce recalls and even injunctions that can scare any corporation straight into ultra-conservatism.

 Long Development Cycles

High regulation leads to long development cycles.  Most corporations have procedures, but those in a highly regulated environment have layers upon layers of process ... more layers than an onion.  The result is multi-year development cycles of cars and medical devices.  So much time is spent on making sure the product is safe and correct that the expectations of the current App-Savvy generation of users are not met.  Connectivity such as medical devices talking to each other and integration of car entertainment systems with smart devices suffer.  I can't believe that the auto industry is still using CANBUS, but I guess Healthcare can't be too critical because we are still using HL7.

 Cybersecurity targets

Long development cycles lead to cybersecurity issues.  Long cycles give security researchers a target rich environment combined with the fact that safety products get much more press coverage when compromised put a big target on these systems.  As a side bar, to maintain their integrity, researchers absolutely must publicly publish their findings and may not be doing it just for the "fifteen minutes of fame."  

 Ever since STUXNET, the first virus to cause physical damage, Cybersecurity researchers have started hacking the real-world.  The result has been automotive recalls by Jeep, Chrysler and Dodge as well as Toyota, Ford, Audi and Nissan.  In Healthcare, insulin pumpsinfusion pumps and narcotics dispensers have all been hacked.  Just image if a MRI machine was compromised!  SANS (a security, research and information institute) and the FBI have both issued warnings to the Healthcare industry.

 Cybersecurity progress comes via innovation not regulation

Regulation is necessary because there has to be a minimum standard for Cybersecurity in safety systems. But regulation is not enough when technology is moving faster every day.  True innovation is always a challenge, but it is especially so in large corporations in established industries that are heavily regulated.  I know because I have tried for many years.  The challenge always seems to be in the organization’s cultural resistance to change.  

 None of these obstacles have deterred Elon Musk and Tesla Motors.  Tesla supports over the air (OTA) updates to the software that runs their cars.  Is that scary for a safety device?  I would propose that it is scary safety issue to not build in a software update mechanism!   If Telsa can do this, why can't others in a regulated industry do this as well? 

Image: jurvetson/Flickr