Contributor: Vidya Murthy, WEMBA’42
To learn more about Vidya, click here.
Healthcare Does Healthcare
Healthcare is a cyber criminal’s dream. It presents the intersection of a data treasure trove, weak security posture, limited resources, complicated supply chain, and patient care delivery. When faced with having to pick a priority to optimize for, healthcare will, of course, always pick delivering healthcare.
A great example of this is looking at how connectivity evolved in medical devices. Initially, devices got an ethernet port because providers could enhance care delivery with limited connectivity. This evolved into more complex and cross-organizational data sharing, workflows, and systems to support care delivery, eventually spreading into cloud and electronic health record integrations. With COVID, the push for telehealth and remote patient monitoring has taken many of these devices beyond the walls (and protective network) of a healthcare delivery organization (HDO) and into the hands of consumers. Healthcare went from large islands of information to highly integrated within a decade.
These innovations greatly enhanced patient and provider experience. But they also introduced a variety of cybersecurity considerations that were generally not solved because this had never been done!
State of Cybersecurity Affairs
While HDOs have increasingly been building cybersecurity competency, it’s really hard for the consumer (i.e., the HDO) to legally, technically, and, in the context of a complicated IT infrastructure, assess the efficacy of a device’s cybersecurity posture, challenging their willingness to accept a higher price of a more secure device. This comes full circle as medical device manufacturers (MDMs) cannot justify investing in cybersecurity, when the market does not reward their incremental costs.
Given technical, regulatory, and legal limitations, HDOs effectively inherit MDM security decisions for devices procured, creating a dependence on MDMs publishing/facilitating updates, while the HDO is expected to continue to deliver safe and effective care.
This problem persists beyond the recommended shelf-life of a device. In a hypothetical HDO, if a $1 million device has reached the end of software support, but continues to be clinically effective, the HDO is faced with a decision: purchase a new device that’s supported, apply (with restrictions) security measures external to the device, or delay until clinical impact warrants investment in a replacement device.
And, as noted above, HDOs optimize for healthcare delivery and patient outcome, and they should. Therefore, it can be difficult to shift procurement, budget, staffing, and operations to prioritize software updates or device replacements in the absence of clinical justification, when not clinically required, or taking a life-sustaining device out of operation to upgrade for any period of time.
In 2016 when the FDA released their post-market cybersecurity guidance, it stipulated the collection of so-called cybersecurity signals. This indicates that at a future date we will have access to more telling technical insight to assess the impact of device information integrity on clinical outcomes. It also indicates at this time, most ‘live’ devices were never architected to capture security log data - reinforcing that evidence of security incidents is difficult to obtain.
Last year saw an increase in cyberattacks on HDOs, including ransomware attacks, which previous studies demonstrate have an impact well beyond the “resolution” of the incident. This is further exacerbated by COVID, as substantiated in a recent study from CISA (Cybersecurity and Infrastructure Security Agency).
All signs indicate we are not sufficiently cybersecure for the way healthcare wants to deliver care. The global pandemic complicated this vulnerability as healthcare workers were rapidly deployed home and asked to work remotely in rapidly established environments. As some hospitals noted, it accelerated digitization of operations by at least 10 years. Considering this unanticipated fast-track scenario in the context of increasingly moving care delivery to patient homes, the inherent protection of the hospital network was essentially eliminated. Furthermore, being outside of the hands of providers, the ability to do routine maintenance/security updates became increasingly difficult.
Practical Advice
The roles of HDOs and MDMs are complementary, and both need to cooperate to sustain a cyber-resilient posture.
HDOs and MDMs alike need consistent and transparent regulatory requirements and enforcement. Regulators are working hard to generate new guidance and seeking authorities to be able to implement consistent and transparent regulation.
Meanwhile the Health Sector Coordinating Council (HSCC) has combined resources across HDOs to propose contract language to aid with cybersecurity assessments as part of the procurement process, while cybersecurity leader Mayo Clinic publishes their risk assessment criteria for public consumption. Engaging with a group that drives activities, whether through industry collaboration or even group purchasing organizations (GPOs) that are assessing cybersecurity risks, seems like a practical and scalable starting point.
MDMs need to build products that meet a security baseline, are patchable, and are likely to get patched. In other words, secure at birth and securable thereafter. To do so, MDMs not only need technical capacity to identify threats and design security controls, they need to transform their organizations to establish the capacity and knowledge to create secure products at scale.
This critically important step in the product development cycle requires strong signals from executive leadership with clear lines of accountability for pre- and post-market risk.
Acknowledging there are three main groups of devices, each requires a unique cybersecurity strategy:
- New devices: Begin the design with security considerations outlined, leverage tools to actively address as device innovation evolves, and don’t go at it alone.
- Devices still under support in field: Risk-rank where to start in the portfolio, and tackle with operational support prioritizing uptime and security concerns.
- Legacy devices: Determine the strategy to the end of support phase of what’s in the field, and work with HDOs to prioritize moving onto the next generation.
Path Forward
Healthcare’s reliance on technology will never go away — it has improved diagnostic capabilities, given us new treatment options, and reduced time, effort, and risk for patients. Therefore, we must make the security component of this process a positive experience for the user and/or patient, as that can mean the difference between the success or failure of a cybercriminal.
With every additional connected point, a potential new risk is introduced which must be understood, mitigated as necessary, and managed over time.
Contact Vidya at: [email protected]