Contributor: Vidya Murthy, WEMBA’42
To learn more about Vidya, click here.
Over the last decade, technology has played a central role in advancing quality of care, creating new delivery mediums, and changing access for patients, in large part due to the development of ‘connected’ medical devices. The less discussed shift that has occurred is viewing cybersecurity as a HIPAA compliance requirement instead of a patient safety enabler. But how can one think about cybersecurity during a global pandemic? If we have learned anything so far, it’s healthcare’s exemplary ability to ‘become remote’ during a crisis. Perhaps this is indicative of a capability for agility that many may have doubted but which could be applied to implementing better healthcare cybersecurity practices across the value chain.
Location of Care Delivery
The average hospital bed has 10-15 devices connected to it. The American Hospital Association estimates there were about 900,000 hospital beds in 2019, which means there are at least 9,000,000 devices inside U.S. hospitals.
These unprecedented times have seen a shift in care beyond healthcare delivery organizations (HDOs) allowing practitioners to triage patients rapidly and effectively. These changes have been great for patients and providers, enabling safe monitoring of patients even when they’re not in the HDO. But it also means more than ever, connected devices operate outside of the secured and monitored HDO network, while sending data back to providers within the HDO network. The introduction of these connection points also serves as the introduction of additional cybersecurity threat vectors.
Shift from Viewing Cybersecurity as a HIPAA Concern to a Patient Safety Enabler
Frequently felt as the regulatory burden for HDOs, device vendors, and clinicians, HIPAA has had an indelible impact on our healthcare system. An average of 35 HIPAA violation complaints are made on a daily basis, with estimates that 59% of the U.S. population has had its health records breached/exposed. Since the compliance date of April 2003, the challenge of meeting the HIPAA privacy rule has persisted. COVID-19 has introduced a perceived relaxation of cybersecurity requirements in the form of the Office of Civil Rights waivers “pausing” HIPAA enforcement, but, if anything, the securing of healthcare data has become even more critical for the collective good.
Beyond the commonly cited identity theft and financial exploitation as a result of a HIPAA breach, a 0.04% increase in mortality rates was observed for patients in facilities with a historic breach, even in scenarios where an HDO restored operations and enhanced security controls after a cyberattack. Since emergency healthcare centers being built in response to the pandemic have already been victims of cyberattacks before opening their doors, perhaps it’s fortuitous the demand for beds has not warranted using these facilities yet? However, according to Chris Sherman from Forrester Research, there have already been two U.S. hospitals that have been attacked via virtual care systems.
The expansion of connected medical devices increases the scope of HIPAA management, while also introducing patient safety considerations. Imagine a glucose meter is manipulated and the attached insulin pump provides an injection that a patient doesn’t need. Or a critical calculation in radiation therapy is manipulated. Even the TV show Homeland portrayed a pacemaker vulnerability exploited in an assassination.
While a good Hollywood tale, the personalization of a cybersecurity attack is not what most are worried about, but instead using a vulnerability as an entry point for gaining control of an HDO and distributing ransomware. This was seen during the WannaCry 2017 attack on the United Kingdom’s National Health System, which forced the system to revert to pencil and paper, reschedule elective procedures, and re-route patients with emergent needs. While this demonstrates a well-executed disaster plan, it is estimated to have cost $72M £, locked 200,000 computers, and required 19,000 patient appointments to be rescheduled over the course of 7 days.
No deaths have been attributed to the attack, but research documents a 13.3% higher mortality rate for patients experiencing a cardiac arrest who received a delay in care of four minutes. When applying this finding to a delay in care due to a network takeover by hackers, one can imagine an increase in mortality rates far greater.
Regulatory Requirements - Today and Looking Forward
It is obvious the FDA is involved in assessing the clinical functionality of devices, but perhaps less known is the FDA’s regulatory oversight of the cybersecurity requirements for medical devices.
Issuing their first guidance document in January 2005, the FDA has actively worked to build a collaborative community - including clinicians, hackers, device manufactures, and HDOs. Most recently the PreMarket and PostMarket Management of Cybersecurity in Medical Device documents have created a clear roadmap and goals for the industry to work towards.
While this guidance is noted to still be in draft mode since it was released in October 2018, there are a few areas of focus it will endorse once finalized (expected sometime in 2020):
- Devices should make extensive use of encryption to keep data private.
- Digital signatures should be used to verify authenticity of devices, data, and instructions.
- Devices should be designed in a way that anticipates regular, routine cybersecurity patches.
- User authentication needs to be secure and robust.
- Devices should be able to alert users when a cybersecurity breach occurs.
Released in 2016, this guidance includes a combination of process and procedural requirements for both medical device manufacturers (MDMs) and HDOs, mainly the following:
- Understanding, assessing and monitoring vulnerabilities and risks
- Robust software lifecycle processes that include having a process for ongoing updates and patches
- Threat modeling cybersecurity risks around a medical device
- Participating in a coordinated vulnerability disclosure policy
These guidance documents confirm the FDA has expectations that MDMs and HDOs will collaborate to build a more robust security ecosystem. The pandemic has not diminished the FDA’s expectation that connected devices demonstrate cybersecurity features have been engineered into the device.
The rapid deployment of telehealth, field hospitals, remote connected devices, and entire health systems administration ‘going remote’ has expanded the landscape which threat actors have just as quickly developed methods to exploit. If anything, the introduction of legacy ventilators to treat COVID-19 patients has shown how far device manufacturers have come, while also highlighting there is still a lot of work to be done.
Setting the Groundwork Today for Success Tomorrow
With COVID-19 bringing into focus the importance of disaster planning and remote capabilities, it is a foregone conclusion the threat landscape will keep growing. Moving to more remote functionality to sustain business operations introduces new technology, practices, and threats. Unfortunately, the pace of transitioning to remote working means prioritizing security can be difficult, but there are tangible changes that can be made today.
- Medical device cybersecurity requires technical and procedural actions by multiple parts of the ecosystem. Instead of reinventing the wheel, leverage already available tools as part of an overall strategy that will create scalable and sustainable security.
- For products under development, the importance of medical devices being designed in a manner that is compliant with cybersecurity requirements is self-evident. Without these requirements being demonstrated, devices will not receive regulatory blessing.
- Devices that are on the market and still supported by device vendors will gain the confidence of providers and practitioners by demonstrating a commitment to updating devices for evolving cybersecurity requirements.
- Key public and private stakeholders, including HDOs, medical device vendors, federal agencies, and healthcare IT vendors collaborated to create the Joint Security Plan, a product lifecycle reference guide to unite the community on best practices.
If your company is implementing new remote practices, think about whether it’s still ‘new enough’ that proactive security can somehow be fit into the scenario. This means thinking about where data is generated, how it’s shared and stored, and what people are using the data for.
COVID-19 has transformed healthcare. With some intentionality around how medical devices will operate in the current environment, we can lay the groundwork to have a collectively more secure ecosystem in the future.
Contact Vidya at: email@example.com