Wednesday, June 6, 2012

Our Government, The TSA, and Medical Device Security

Let's face it...we deal with security in a very reactive way, and we often end up with some real progress on the security front, along with some very real screwups.

I want to step back to 9/11 for a moment.  It is vivid and clear in most (if not all of our minds).  After the 9/11 attacks happened, we witnessed a time when our government had a lot of power (and most of it remains today) to do almost anything they wanted to do in the name of securing our nation.  For the first time in my life I witnessed a Congress the passed sweeping laws that created a somewhat muted police state, cloaked as "The Patriot Act".  Those that chose to defy our leaders were labeled as miscreants (in some cases), or told that they were being unpatriotic.

Some things that came out of 9/11 were pretty good.  Locking of cockpit doors is one of them.  Another is a heightened sense of awareness by airline passengers, who are not likely to sit idly as terrorists attempt to mess around on an airplane.

Other things...not so much.

Anyone who travels today must now be subject to the circus we know as the security line at any major airport, which is a barricade often manned by everything from well experienced and concientious agents, to agents that find their absolute power quite satisfying, and not in a good way.  We are forced to relinquish event the tiniest pocket knife, but are permitted to carry our laptops on the plane, which has a glass screen that could easily be broken, leaving us with a razor sharp length of glass that could do far more damage in the hands of a would be terrorist.  There have been instances of agents who have become so attentive of water bottles, that they miss handguns in carryon items.  Elderly people in wheelchairs are often forced to go through lengthy searches, and in at least one case I have personally witnessed several agents taking someone out of a wheelchair who could not stand up, and forcing him to go through a search while he totters on the brink of falling.

One would hope, after more than a decade of dealing with security issues post 9/11, that we would be better at this than we are, and I certainly do not feel more secure.  I am simply more annoyed.  I don't fear terrorists at the airport.  I fear TSA agents who routinely search checked bags, and sometimes steal the contents.  I saw a story last week about a TSA agent who routinely stole iPads out of checked bags.  The TSA response was something like "We are looking into it."  Try as you will, but you are not likely to win an argument or case against the TSA.  They are, after all, supremely powerful in this day and age.

This brings me to the issue of medical device security.  I am seeing a lot of news stories lately where our government is being pressured to do something about medical device security.  Without question, it is an issue that has to be addressed.  The FDA is currently being pressed upon to act on cybersecurity issues, and it remains challenging, to say the least.

We face a situation today where Congress is likely to require the FDA to take a more active role in cyber security, and I am concerned that if this is done in a reactive and hurried manner, we face the possibility of overreaction.  Cyber security is not complicated, but it is a constant learning process that requires immersion to fully understand.  The FDA is currently one very busy agency, and in my conversations with the FDA, I have discovered that they are very challenged in keeping up with the workload they are presently facing, which would lead me to conclude that they are going to be very challenged in  properly consider all the nuances of any cyber security decisions they may be forced to make.  As someone who has worked with (and continues to work with ) medical device manufacturers, I have learned that patient safety, reliability of therapies, and ease of use are of utmost importance to manufacturers and patients alike, and decisions made about how to implement security must be tested to the nth degree before proceeding with implementation.  Congress must understand that if anything is mandated, there will indeed be manufacturers who will focus more on compliance over creating a security culture, and what the FDA (and Congress) should focus on is first understanding what a security culture should look like, and how the risk profile  changes with any security related decision made by a device manufacturer.

It is important to understand that, as a traveller, I often have alternatives to dealing with air travel, and the repercussions of the inconvenience are generally limited to a specific instance (a trip).  The repercussions of bad decisions made on the medical device front are far more serious in nature.

I am off my soapbox.