The COVID-19 pandemic forced the health care sector to rapidly evolve its telehealth and remote care processes. A prime example of this shift in care processes can be seen with the Department of Veterans Affairs, the largest health care system in the country.
While the focus on patient safety has remained constant, the VA has also worked closely with the Food and Drug Administration to drive education efforts on these ongoing challenges. On Tuesday, FDA Cyber Policy Advisor Jessica Wilkerson and VA Deputy Chief Information Security Officer and Privacy Officer Joseph Stenaka shared insights into these efforts and recommendations for providers.
The VA was a telehealth pioneer, launching its program in the 1960s to reach all veterans even if they’re unable to come to clinics or hospitals for medical care. Prior to the pandemic, the VA saw an average of 300,000 telehealth visits each year as the largest telehealth provider in the U.S.
Like most in health care, the pandemic brought along a massive increase in technology across the VA that led agency leaders to rethink previously established processes to ensure the safety of veterans, their caregivers, family members, and providers.
The expansion of remote technologies enabled the VA to see more than 12.4 million telehealth visits since the start of the pandemic. Stenaka believes this rate of telehealth will continue even when the pandemic ends through a hybrid approach. In his words, "face-to-face visits will resume at normal levels, but there will be a continued “reliance on telehealth because it helps increase the veterans experience with the medical service."
Patient safety first, always
The VA centers its telehealth program on both the needed cybersecurity and patient safety, as core operational requirements and determine where those two elements meet. But often, when judgement calls are made, it’s always patient safety first, explained Stenaka.
“In the early days of cyberattacks, we saw pacemakers and insulin pumps potentially connecting with radio frequency and being hacked,” said Stenaka. The challenges have expanded as the VA has more than 1,100 clinics and hospitals. But “it’s a challenge for any big organization to know where all the devices are.”
“You buy five more infusion pumps, and now they connect to your internet, your networks,” he continued. “You have to know about them, they have to be patched, and you have to work with the vendors…. to service all the way from protecting veteran data, to ensuring the availability of lifesaving care with IP-connected devices is critical. It's a lifecycle from the data to the patient.”
Medical devices are very critical, as well, he explained. The VA is working with the FDA to address these medical device security risks, as devices that connect to the internet can be attacked or compromised, which could lead to a “stoppage of life-saving care.”
The VA’s mission hasn’t changed during the pandemic, outside of a greater focus on medical devices and the safeguards protecting veteran data, he added.
FDA-VA cybersecurity, patient safety mission
The FDA doesn’t have a direct involvement in telehealth, but rather the medical devices that support these technologies, explained Wilkerson. As hospitals continue to utilize more and rely on remote care, the medical devices have to be very secure and do what they’re meant to do – “and not what they’re not supposed to do.”
As telehealth increased amid COVID-19, she noted it’s more important for the FDA to partner with government and private sector partners that are “helping the FDA modernize to ensure that these devices and others are being deployed in a safe way.” That includes ensuring all parties understand the risk as devices move throughout these environments.
The big question is: what does it mean for a medical device or computer to be cyber-secure? Wilkerson noted that the FDA works closely with reviewers who take in medical device files and examines the data to “determine whether or not they should be given authorization to be sold to go on the market.”
The FDA is “examining the cybersecurity controls to see whether or not they're sufficient. Do they do what they're supposed to do? Do they prevent the medical device from not doing what the medical device is not supposed to do?” The FDA also works with private sector partners “because cybersecurity is borderless and all of these things are going to be able to interact.”
Part of the analysis component is addressing the immature cyber posture of most health care providers. Wilkerson notes that the sector is a softer target and as long as there’s money to be made in hacking things, those outside threats won’t go away.
However, medical devices are also vulnerable to simple mistakes, either in developing, patching, misconfigurations, or other mishaps.
The FDA is working to educate providers on the reality that “you don’t need a malicious or unauthorized actor to have a cybersecurity incident,” said Wilkerson. “You can have a bug, or an accident, and something happens -- but no one hacked it. There was no one on the other side of the keyboard, but you still have a patient safety risk.”
As such, the FDA is working to have these critical conversations with stakeholders on why these events are happening and attack motivations. However, “sometimes it’s just chaos, and we all have to be ready for that,” she added.
Speaking directly with patients on the risks and to evaluate their concerns is also a key mission of both agencies. Wilkerson noted that the FDA has determined patients want to know what’s going on with the devices they rely on for their health. Given the heightened risk some devices hold, it’s important that patients understand the risk and the importance of the device.
But if these leaders could impart the most important focus area for telehealth and medical devices, it would be to join free resource groups to gain valuable insights on what’s needed to improve overall security and to implement identity and access tools to secure those endpoints.
Those groups include the Healthcare and Public Health Sector Coordinating Council (HSCC) and the H-ISAC, which share industry-level threats and best practices often targeted to providers with limited resources.