As devices like heart monitors and insulin pumps become “smarter” and are communicating with other devices, their vulnerability to being hacked has also increased, as recent incidents have shown. Augusta University’s Cyber Institute at the new Georgia Cyber Innovation and Training Center plans to be a leader in protecting them and other health information systems, officials said.
The new $50 million Georgia Cyber Innovation and Training Center announced last week by Gov. Nathan Deal will eventually house the Augusta University Cyber Institute now on its Summerville Campus and allow the university to pursue much greater research into cybersecurity, particularly with health care, AU President Brooks Keel said.
“We have always seen that our strength is going to be in the cybersecurity of health information, health informatics, electronic medical records and electronic medical devices,” he said. The health system has already had conversations with two longterm partners, device-maker Philips and information technology giant Cerner, about collaborating on research, Keel said.
“That’s where I think our sweet spot in terms of developing research is going to be,” he said. In a blog post last week praising Deal and the new initiative, Cerner CEO Zane Burke said the company is looking forward to the new research.
“Much like new security enhancements now available broadly to health care providers as a result of militarizing Cerner’s commercial solutions to meet the Department of Defense’s more stringent security requirements, we expect our collaboration with Augusta University and AU Health to also benefit the broader health care industry through new and faster innovations in data protection,” he wrote.
But even before the new Georgia center was announced, the AU Cyber Institute had submitted a grant proposal to the National Science Foundation seeking to start work on cybersecurity for three medical devices: a pacemaker, an insulin pump, and a continuous positive airway pressure system or CPAP machine, said director Joanne Sexton. Those devices were not chosen at random, she said. For one, they treat diseases that are quite prevalent in Georgia and the southeast, such as diabetes and hypertension, she said. And they are home monitoring systems that involve communication between the device and a monitor.
“It is an interface that is very, very nice to begin to look at and understand,” Sexton said. “It’s really the communication pathways – how do you break in, and what security actually has been added or not.”
It is already a concern for the Food and Drug Administration and for some device manufacturers of those particular devices. Just last week, the FDA issued a safety communication about St. Jude Medical’s implanted cardiac devices and their home monitors had “cybersecurity vulnerabilities.” While stressing that there were no reports of anyone being harmed, there was the potential for someone to hack the monitor and “modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks,” the FDA said.
St. Jude created a software patch to correct it. But that is the type of thing the Cyber Institute wants to explore and potentially help correct, Sexton said. Philips has already agreed to supply some of its devices and Sexton believes other manufacturers will as well if the information is shared with them first.
“I think they are eager to know what some of those issues are so they have a chance to fix them,” she said. “They’re not trying to put the public at risk.”
Part of that will be made easier through the use of the “cyber range.” AU has a small one now but a much larger and more complete one will be built at the new Georgia Cyber center. The range is an isolated and restricted network that allows students to test vulnerabilities and confront malware and other bad actors in a secure environment that would not allow those bad elements to leak out.
“You have to look at evil, so to speak, to help educate your students,” Sexton said. “You have to give them an opportunity to be in what we would call a cyber range where they can actually work with it hands-on and develop their skills.”
Part of the Georgia center will be a “sensitive compartmented information facility” space with high-level security and multiple controls on access that has to be annually certified by the Department of Defense, according to documents supplied by Deal’s office.
The cyber skills training will extend statewide to 85 agencies and includes partnerships with the U.S. Army cyber units, the Department of Defense and the National Security Agency that will allow for those workers to have continuing education.
“What we’re looking at is how do you develop that cyber professional and keep those skills alive throughout their lifetime,” Sexton said. “That actually isn’t something that has been answered yet. If you’re not working on these things all of the time, these skills are very perishable.”
Part of the institute’s challenge will also be working with health systems, which increasingly use smart devices and electronic record information. Those systems need to share data and yet keep it secure, Sexton said. She said the financial industry has been taking on this challenge with online banking and other transactions for years, and has come up with standard systems that limit exposure, but health care can’t quite do that.
“People’s lives are at stake,” Sexton said. “Doctors can’t have enough information. In the health care arena, this is a very, very hard problem.”
And yet, it is one the industry has not fully invested in, she said.
“As an industry, health care isn’t spending the money, at least not yet, on cybersecurity,” Sexton said.
The new facility is around two years away, and even now there are empty offices and people who need to be hired to fill out the current institute. But it has a focus and it is aimed squarely at health care cybersecurity.
“Augusta University intends to be a national leader in this field,” Sexton said. “But we have to understand that these are our first steps.”
|The Augusta Chronicle
Reach Tom Corwin at (706) 823-3213 or firstname.lastname@example.org