Healthcare is a cyber criminal’s dream. It presents the intersection of a data treasure trove, weak security posture, limited resources, complicated supply chain, and patient care delivery. When faced with having to pick a priority to optimize for, healthcare will, of course, always pick delivering healthcare. This means that when tradeoffs must be made and resources are limited immediate patient care is prioritized over anything else.
A great example of this is looking at how connectivity evolved in medical devices. Initially, devices got an ethernet port because providers could enhance care delivery with limited connectivity across functional islands. These newly connected devices were isolated in a trusted network maintained by the healthcare delivery organization (HDO). This evolved into more complex and cross-organizational data sharing, workflows and systems to support care delivery, eventually spreading into the cloud and electronic health record (EHR) integrations.
Cloud and connected systems beget big sharable data, which in turn enable artificial intelligence applications, which in turn need more data. With COVID, the push for telehealth and remote patient monitoring has taken many of these devices beyond the walls (and protective network) of an HDO and into the hands of consumers. Healthcare went from large islands of information to highly integrated within a decade.
These innovations greatly enhanced patient and provider experience. But they also introduced a variety of cybersecurity considerations that were generally not solved because this had never been done!
State of Cybersecurity Affairs
While HDOs have increasingly been building cybersecurity competency, it’s really hard for the consumer (i.e., the HDO) to legally, technically, and in the context of a complicated IT infrastructure, conclude on the efficacy of a device’s cybersecurity posture, challenging their willingness to accept a higher price of a more secure device. This comes full circle as medical device manufacturers (MDMs) cannot justify investing in cybersecurity, when the market does not reward their incremental costs.
Given technical, regulatory, and legal limitations, HDOs effectively inherit MDM security decisions for devices procured, creating a dependence on MDMs publishing/facilitating updates, while the HDO is expected to continue to deliver safe and effective care.
This problem persists beyond the recommended shelf-life of a device. In a hypothetical HDO, if a $1 million device has reached the end of software support, but continues to be clinically effective, the HDO is faced with a decision: purchase a new device that’s supported, apply (with restrictions) security measures external to the device, or delay until clinical impact warrants investment into a replacement device.
And as noted above, HDOs optimize for healthcare delivery and patient outcomes, as they should. Therefore, it can be difficult to shift procurement, budget, staffing, and operations to prioritize software updates or device replacements in absence of the immediate clinical need or taking a life-sustaining device out of operation to upgrade for any period of time.
In 2016 when the FDA released their postmarket cybersecurity guidance, it stipulated the collection of so-called cybersecurity signals. This indicates that at a future date we will have access to more telling technical insight to assess the impact of device information integrity on clinical outcomes. It also indicates that at this time, most ‘live’ devices were never architected to capture security log data – reinforcing that evidence of security incidents is difficult to obtain.
Last year saw an increase in cyber attacks on HDOs, including ransomware attacks, which previous studies demonstrate have an impact well beyond the “resolution” of the incident. This is further exacerbated by COVID, as substantiated in a recent study from CISA.
All signs indicate we are not sufficiently cyber-secure for the way healthcare wants to deliver care. The global pandemic complicated this as healthcare workers were rapidly deployed home and asked to work remotely in rapidly established environments. As some hospitals noted, it accelerated the digitization of operations by at least 10 years. Considering this in the context of increasingly moving care delivery to patient homes, this effectively eliminated the inherent protection of the hospital network. Furthermore, being outside of the hands of providers, the ability to do routine maintenance/security updates became increasingly difficult.
The roles of HDOs and MDMs are complementary, and both need to cooperate to sustain a cyber-resilient posture.
HDOs and MDMs alike need consistent and transparent regulatory requirements and enforcement. Regulators are working hard to generate new guidance and seeking authorities to be able to implement consistent and transparent regulation.
Meanwhile, the HSCC has combined resources across HDOs to propose contract language to aid with cybersecurity assessments as part of the procurement process, while cybersecurity leader Mayo Clinic publishes their risk assessment criteria for public consumption. Engaging with a group drives activities, whether through industry collaboration or even group purchasing organizations (GPOs) that are assessing cybersecurity risks, seems like a practical and scalable starting point.
MDMs need to build products that meet a security baseline, are patchable, and are likely to get patched. In other words, secure at birth and securable thereafter. To do so, MDMs not only need technical capacity to identify threats and design security controls, they need to transform their organizations to establish the capacity and knowledge to produce secure products at scale.
MDMs need to assess that capacity (e.g., measure maturity with the JSP), identify gaps, and fill the gaps. They need to develop new processes around SBOMs (generation, identification, disposition, and disclosure). Incorporate threat modeling (cite FDA’s playbook) across the entire lifecycle of a product. All of this needs to be done with strong signals from executive leadership with clear lines of accountability for pre-and post-market risk.
Acknowledging there are three main groups of devices, each requires a unique cybersecurity strategy:
– New devices: Begin the design with security considerations outlined, leverage tools to actively address as device innovation evolves, and don’t go at it alone.
– Devices still under support in the field: Risk-rank where to start in the portfolio, and tackle with operational support prioritizing uptime and security concerns.
– Legacy devices: Determine a strategy to end of support what’s in the field, and work with HDOs to prioritize moving onto the next generation.
Healthcare’s reliance on technology will never go away — it has improved diagnostic capabilities, given us new treatment options, reduced time, effort, and risk for patients. Therefore, we must make the security component of this process a positive experience for the user and/or patient, as that can mean the difference between the success or failure of a cyber-criminal.
With every additional connected point, a potential new risk is introduced which must be understood, mitigated as necessary, and managed over time.
About Vidya Murthy
Vidya Murthy has worked in security for 15 years, with emphasis on healthcare and medical devices for the last 8. As Chief Operating Officer at MedCrypt and MedISAO, Vidya has supported more than 70 device manufacturers in maturing their product cybersecurity programs. During her tenure at Becton Dickinson, she established the protected health information security program, embedded it into device operations and operationalized it for compliance and risk reduction across multiple product lines. Her direct interaction with health systems informed a global strategy for supporting medical device sales.