Frequently perceived as the regulatory burden for HDOs, device vendors and clinicians, HIPAA has had an indelible impact on our healthcare system. And it is often the first thing envisioned when healthcare and cybersecurity are mentioned. However today we are seeing unprecedented fines being levied, lawsuits occurring in nearly every corner of the world and increased scrutiny by regulators over healthcare security. And it goes well beyond HIPAA.
Cyberattacks are relatively cheap and easy to access. The attackers’ business plans are expansive with extremely generous profit margins. A recent study estimates that losses from cybersecurity attacks are in the trillions and growing in multipliers.
Meanwhile, in healthcare especially, defense tends to be a generation behind the attackers. It’s hard to show a return on investment for prevention and law enforcement is almost non-existent (about 0.3% of all cybercrime that’s reported is prosecuted). We see security investment around the $100B space with pretty steady increases by 10%. How can that compete with the spend?Microsoft estimated it took more than 1,000 engineers to create the SolarWinds attack. Is there ANY organization outside of government entities that has 1,000 security engineers?
This little-understood imbalance of the economic incentives is exacerbated by the fact that many of the technologies and business practices that have recently driven corporate growth, innovation and profitability also undermine cybersecurity. Technologies such as interoperability or cloud computing bring tremendous clinical advancements and cost efficiencies but dramatically complicate security.
Those tasked with managing security in devices are faced with the conundrum of needing to use technology to grow and maintain their enterprises without risking the corporate crown jewels or hard-won public faith in the bargain.
Why is This Important?
The House of Representatives passed legislation that, if made into law, would require medical device manufacturers to pay a fee associated with assessing the cybersecurity posture of connected medical devices.
The reality is the economics of trying to “do” comprehensive security are limitless. But the move to fund assessments by the FDA indicates that the cost of not doing security is likely to result in a delay in product launch.
The core competency of healthcare is healthcare. Whether innovating new clinical treatments, enabling data sharing across a care team or discovering novel ways to enhance the quality of life, healthcare knows clinical care. The challenge faced in prioritizing medical device-based cybersecurity is that the buyers of medical devices haven’t been able to push for it as part of their purchase criteria.
Imagine a head of surgery conceding to a lower grade clinical solution because it is more cybersecure. It’s inconceivable.
This has, in many instances, meant security features are built reactively into a device - if a powerful buyer requires a specific feature, it gets prioritized because that’s how the contract gets signed. The aggregate impact of this is a series of one-off decisions to try and address isolated use-cases for a device to “be secure,” but without a cohesive strategy, it often results in security debt and incomplete security strategies.
That means it will always be a challenge to prioritize security features in the R&D process of a medical device manufacturer.
Like all businesses - medical device manufacturers determine the features they prioritize based on what their customers tell them. So how can we get market incentives aligned to have devices secure by design?
Taking a page from the highly regulated financial sector one may instinctively point to the regulator. The FDA has rapidly developed, deployed and disseminated its pre- and post-market cybersecurity guidance. Recently released, the FDA guidance around cybersecurity in the pre-market has architected requirements that, if finalized, will require a systemic re-think on how cybersecurity fits into device design. By aligning with the quality management system, cybersecurity will more transparently require consideration at multiple stages of a device’s lifecycle.
The danger here is that healthcare constantly blames the user/patient. Whether it’s patient adherence, login/password management, or phishing failures, this isn’t an industry that has historically optimized for easing the user experience. It goes to my earlier point - we optimize for patient outcomes.
Therefore, we must design devices to be secure. Make them secure from the inception.
What Can Be Done?
There are several guidelines out there (the Healthcare Sector Coordinating Council’s Joint Security Program, National Cybersecurity Center of Excellence, TIR-57) on how to pursue this, but it’s important to remember there is no one standard to rule them all.
We’ve seen from the idiosyncratic progress to date, that we haven’t made sufficient progress to secure the ecosystem. Medical device development must undergo a systemic change in how it manages cybersecurity risk for the collective to benefit.
Cybersecurity costs are managed most efficiently when integrated into core business decisions. Moreover, in an efficient economy, access to cybersecurity expertise is the way to ensure efficient and effective solutions that persist the lifetime of a device.
For our community to have any chance at combating the mounting security debt, malicious actors in our ecosystem, and increasingly complex value delivery systems, we must begin with devices that are proactively secure by expert solutions. There are ways to create clinical innovations while still being secure; but to get there, we have to do things differently than we have in the past.
About the author: Vidya Murthy is the COO for MedCrypt. Vidya has worked in security for 15 years, with an emphasis on healthcare and medical devices for the last eight. As Chief Operating Officer at MedCrypt and MedISAO, she has supported more than 70 device manufacturers in maturing their product cybersecurity programs.
During her tenure at Becton Dickinson, she established the protected health information security program, embedded it into device operations and operationalized it for compliance and risk reduction across multiple product lines. Her direct interaction with health systems informed a global strategy for supporting medical device sales. Prior to earning her MBA from Wharton, she worked in security consulting with PricewaterhouseCoopers.