Contributor: Vidya Murthy, WEMBA’42
To learn more about Vidya, click here.
The first quarter included a huge cybersecurity win with the Federal Bureau of Investigation shutting down the Hive ransomware group, which had targeted more than 1500 entities, including hospitals, school districts, and financial firms. And yet, cyberattacks on healthcare organizations consistently got worse in 2022. Are significant security incidents in healthcare becoming an accepted new normal?
On December 29, 2022 President Biden signed into law the ‘Consolidated Appropriations Act, 2023’ (H.R.2617) that had widespread cybersecurity impact, but also resulted in particular funding/initiatives for medical device cybersecurity. The constant attacks in healthcare have not gone unnoticed, and this bill solidifies the urgency of changing the status quo.
Under the Act, both the Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) were granted additional authorities and funding to regulate pre- and post-market cybersecurity risks of legacy and new medical devices. In particular, this means devices historically approved/cleared, can be reviewed for cybersecurity under this law.
The act goes into effect in March 2023 and may very well change the trajectory of healthcare cybersecurity. Between additional mandates for increased frequency of guidance from the FDA, there is explicit mention of patch, secure product development and software bill of material management. This complements the Biden administration's existing cybersecurity initiatives, which highlight healthcare as a critical area of focus.
The burden of cybersecurity risk management at a hospital raises the critical question: should a hospital’s second core competency be cybersecurity? Or does the requirement placed on hospitals result in a misalignment of incentives - where healthcare is not allowed to optimize for delivering care?
Whenever a headline would arise related to healthcare cybersecurity, it usually decried the loss of personal health information as a result of an employee issue. This is because hospitals, and fines enforced by the Office of Civil Rights, have historically prioritized data privacy (think HIPAA), and, for many, that was the “bar” of security practices to implement.
As confirmed by a survey from the American Hospital Association, cybersecurity requirements have long exceeded the legal mandate faced by health systems. This is further exacerbated by a rapidly evolving threat landscape - including applying ChatGPT to develop new malware.
The reality, however, is connectivity evolved in healthcare without sufficient guard rails for managing the proliferation of new attack vectors. How can a single hospital information technology (IT) group practically manage the operation of upwards of 100,000s of connected devices, in addition to maintaining security measures without disrupting the delivery of critical patient care?
As Dr. Suzanne Schwartz, Director of the Office of Strategic Partnerships and Technology Innovation at the FDA's Center for Devices and Radiological Health has said repeatedly, cybersecurity is patient safety. Claims of the first death due to hospital ransomware attack bring into acute focus why healthcare is novel in its struggle and different from other industries.
The act requires shifting up the supply chain, so devices are secure by design, and thus present a more manageable burden for consumers of devices. Consumers in this case span traditional health systems, as well as patients directly. The COVID-19 pandemic accelerated the dissemination of care delivery outside the four walls of a hospital, which often included delivering connected devices directly to patients at home.
In all fairness, healthcare spending on cybersecurity has historically been the highest across multiple industries. But even with the spend, the results have been underwhelming - so it is unsurprising it took a new law being created in an attempt to change this trend.
It may sound hyperbolic, but the potential for shifting the trajectory of healthcare cybersecurity under this law is unprecedented. The implementation and enforcement certainly won’t be overnight, but we are living through a historical inflection point as an industry.
Contact Vidya at: [email protected]