CyberVitals: Healthcare Cybersecurity Is More than HIPAA

Contributor: Vidya Murthy, WEMBA’42 
To learn more about Vidya, click here.

 

Healthcare cybersecurity is often perceived as leaked personal health information that at worst can result in a fine and/or a spot on the Department of Health & Human Services’ “Wall of Shame” breach database. Facing the post-Roe world, the implication of leaked personal health information takes on an entirely new meaning. 

Cybersecurity at its core strives to safeguard the confidentiality, integrity, and availability (CIA) of critical data. Being able to translate the CIA trifecta into clinical use can enable better contextualization of security when it comes to emerging data privacy considerations.  

Confidentiality, for example, can directly impact many period-tracker and fertility apps used as part of family planning, which now carry data that can be used against people in states where abortions are banned. 

Integrity would possibly protect patients from manipulation of data generated in their devices, which is increasingly used by artificial intelligence/machine learning algorithms to inform clinical decision-making. 

Availability of data can directly impact how care is delivered, running the gamut from reliance on electronic health record systems, to clinical precision being enhanced as a result of a real-time data loop. 

When healthcare data and technology systems are connected across a growing ecosystem, a variety of potential benefits for care delivery may accrue. However, with these advantages also come a host of potential attack vectors. 

What’s new?

In Q2 of 2022, the FDA issued an update to their guidance document that outlines requirements for medical device manufacturers as part of their pre-market submission. The expectation is that as the FDA matures their enforcement of these requirements, as reflected in their 10x budget requests, devices will NOT reach the market if they do not show sufficient consideration of cybersecurity concerns. Anecdotally, we are already hearing of devices that are otherwise clinically effective being rejected for cyber vulnerabilities. 

Changes of particular note from the guidance, are the following main areas: 

  1. Expanded Scope 
    The updated guidance is set to cover all premarket submission styles, including 510(k), De Novo requests; Premarket Approval Applications (PMAs); Product Development Protocols (PDPs); Investigational Device Exemption (IDE); and Humanitarian Device Exemption (HDE); as well as devices for which a premarket submission is not required (e.g., for 510(k)-exempt devices). 

    There is an additional call out that the device maker must consider the security interdependencies between parts of the broader healthcare system and the device and vice versa. 

  2. Special emphasis on programmatic efforts 
    One of the medical device-specific challenges is that cybersecurity doesn’t fit into the existing quality management system/development lifecycle. This update has taken great measures to implement systemic change that will trickle across the entire development lifecycle. In particular, the four programs noted below will require maintenance and support for a device’s entire lifespan: 
    • Secure Product Development Framework (SPDF)
    • Security Risk Management
    • Threat Modeling
    • Cybersecurity testing during the development lifecycle

    While each addresses a particular type of security risk, the key takeaway is security will no longer be a burden specific to research and development, but instead will become embedded cross-functionally.

  3. Measuring progress
    For the first time, the FDA is seeking measures and metrics to assess the efficacy of cybersecurity programs, in particular focusing on vulnerability management. At a minimum, device makers must track the following measures and metrics:
    • Percentage of identified vulnerabilities that are updated or patched (defect density)
    • Time from vulnerability identification to when it is updated or patched
    • Time from when an update or patch is available to complete implementation in devices deployed in the field.

    While it’s difficult to understand how a pre-market submission to the FDA will bring this level of insight over the device’s lifetime, these measures reflect ongoing cybersecurity ‘health’ being reported to the FDA. This may curb the ‘bundling’ of device changes, where we commonly see security changes delayed so they can be added to a feature update. Given recent estimates of 15 minutes for how long it takes before vulnerabilities start to be exploited, this seems well aligned.


How do you start?

There will never be a perfect moment nor engineering resource available that will make fitting cybersecurity into a device design process without trade-off. The first step towards building a secure device is accepting this reality but choosing to pursue designing a secure device anyway. 

Nearly every medical device manufacturer has claimed "data is the future." For this future to materialize, and additional revenue captured, it must follow that security is of highest urgency. To successfully align business and cybersecurity initiatives, begin to quantify opportunities and risk if security is not done. This will bring transparency and risk-based decision making to an organization.

Once business buy-in has been achieved, reflect on whether as a device maker you seek to make cybersecurity your second strongest competency, after your clinical expertise.

Few device makers view securing devices as a core competency, and as a result should get familiar with the tool landscape and learn to partner with vendors. Similar to the migration by nearly every device maker to third-party cloud hosting, versus a self-managed data center, device makers should optimize alignment of skillset with need.

Conclusion

There are a variety of legislations and regulations striving to mandate cybersecurity controls into devices. And the ‘Strengthening American Cybersecurity Act’ is another piece of the puzzle which is still unknown. Commensurately, the FDA has introduced fees to support cybersecurity review.

As noted above, the post-Roe ecosystem has brought light to the bias often designed into many healthcare solutions. Monetizing data has become a de facto strategy in big tech, but it ends up disproportionately impacting certain populations. While many are aware of bias in clinical practices, this shows up in insurance bias against minority communities or facial recognition at borders.

As healthcare leaders, it is our responsibility to sufficiently consider the strategy and tactics employed in growing business to ensure they align with keeping the patient’s safety and care front and center. In an increasingly complex environment, that is only becoming more complicated, no device maker will benefit by delaying the design and prompt implementation of a security strategy aligned with the ever-present and evolving challenges inherent in the rapidly changing healthcare landscape.


Contact Vidya at: [email protected]