The following is a guest article by Tim Bowe, CEO at Full Spectrum
Throughout the past few decades, we have seen cycles within the healthcare information systems space related to the pressure associated with changing technologies, but that pressure is now greater than ever before.
There is currently an explosion of technology and regulatory changes that are just beginning to impact the industry. The educational topics at this year’s HIMSS conference shed light on some of those new pressures: AI and ML, Digital Health Transformation, Cybersecurity, and Data Science in Healthcare Information, just to name a few. Of course, there are new FDA guidelines on AI, cyber security, and Software as a Medical Device as well.
This has put a new level of pressure on healthcare information systems developers. Today’s products are based on enormous codebases, which have evolved over decades in some cases. This is a difficult starting point to adapt to rapidly changing market forces. The near future will require the integration of new technology and new concepts for decision support while simultaneously protecting systems against penetration.
The trend toward care management extension from the hospital through provider offices, urgent care clinics, and the home environment comes with benefits such as vast improvements in care and reduced operating costs for some, but it also comes with significant technical challenges.
A continuation of the current situation won’t be enough to meet these demands. Different engineering strategies are needed to deliver scalable, secure, and stable software coupled with a dynamic cloud ecosystem. A medical device or information systems company must overcome the following major obstacles: architecting for flexibility around AI engines, improved dependency management, cyber security, and adaptation to more complex and faster-evolving regulations.
Integrating AI engines into healthcare systems is critical. These new abilities, demonstrated almost simplistically by ChatGPT, will radically transform the industry. But integration is sure to be an ongoing development exercise.
AI engines are evolving quickly. New approaches materialize with unnerving regularity, and it will take years for the eventual winners to be decided. Without the luxury of complete clarity and to avoid being locked into a non-competitive AI solution, healthcare solutions must be designed to support the wholesale replacement of the AI engine. Architectures must allow simple substitution of engines to allow for product evolution along with the AI industry, always fielding the most capable technology. Modern systems are built with the flexibility to accommodate a range of types and versions, high degrees of interactivity via unprotected access points, and global deployment. These robust systems need to be highly flexible, scalable, and available at all times. These characteristics, however, can undermine the development of a consistent security model.
The FDA guidelines on Cyber Security in Medical Devices represent only the latest step in prioritizing security for the industry. Fortunately, security can be treated as the default option – but only if initially architected and designed correctly. Distributed systems that implement security as an afterthought rarely offer the desired protection. It isn’t possible to avoid this problem in legacy systems, but cybersecurity must be a core consideration for new systems as well as the new functionality of old systems. For connected systems integrating distributed users and medical devices, security considerations must be addressed at each system level. Obvious concerns include connections between devices and servers, which must implement industry-standard encryption in the transport layer. But that’s only the start. All software must be signed to ensure any updates are produced by authorized sources. Access through a device or web-based interface must implement authentication and authorization, while simultaneously avoiding the risk of locking out a provider during a life-threatening emergency.
For cloud-connected systems, the industry has adopted a “zero trust” policy, meaning all components of a large system are responsible for restricting access and validating operations. This ensures a security hole in one part of the system doesn’t become a problem for the whole system. In tandem with “least privilege,” this ensures that security in cloud services is now the rule and not the exception. Modern software systems are essentially combinations of off-the-shelf software stacks comprised of countless third-party dependencies. Simple single-page applications using popular web frameworks may include thousands of libraries. Often well-maintained and open source, many of these libraries are in a constant state of flux due to security patches and updates. A “finished” application can become out of date quickly without the right maintenance approach. This represents a fundamental change to software maintenance for systems suppliers. Annual or even quarterly updates won’t keep pace with components that must continuously respond to security issues. The new regulations demonstrate that manufacturers are ultimately responsible for managing the risks of third-party software components: “All software, including that developed by the device manufacturer… and obtained from third parties should be assessed for cybersecurity risk and that risk should be addressed.” These risks are constantly evolving as issues are discovered over time. Keeping up with change is more than just good hygiene for a manufacturer, it’s now a requirement.
The software industry has developed tools to solve “out of date” issues, with dependency scanners built into cloud platforms and source control systems that will catch components that are out of date. Using these tools can be complex, requiring updates by engineering staff on a regular basis, complete with regression testing and a staged deployment strategy to avoid production outages. This requires continuous monitoring and a commitment to investing in maintenance. The DevOps philosophy that has taken root in the software industry in recent years is becoming increasingly relevant in the healthcare industry.
In the near future, there will be more and more demand to extend and enhance the capabilities of healthcare information systems. The present market for healthcare information systems will be greatly expanded by the additional capabilities, which will undoubtedly lead to some interesting new options for care delivery. However, this will bring with it increased development challenges; profitably deploying AI and improved cybersecurity will challenge many of the existing approaches to healthcare information systems. The technology around these systems is rapidly evolving and its impact on our industry will be unique. There will be entry barriers for manufacturers of healthcare information systems because of the fundamental changes to system architecture, particularly for risk analysis, AI, and cyber security. To adapt, current R&D teams must rebuild their skill sets. This is much more difficult to learn than a new language or platform, as we’ve seen. A major shift in the industry has occurred in the way that distributed systems with connected medical devices are designed, built, and maintained.
About Tim Bowe
Tim Bowe is the CEO at Full Spectrum. He has been an executive in the outsourced product development and engineering services industry for nearly 30 years, with domain experience and extensive writing in the areas of medical devices, healthcare information systems, automation, and robotics within complex capital equipment, as well as the development of products within the aerospace and telecom industries. Previously, he was COO of Emphysis and CEO of Foliage. Bowe has been an advisor and consultant to OEMs, engineering service providers, and the investment community.
