During the past few decades, the health care industry has integrated more digital systems, amassed more digital data and automated clinical workflows. This has caused the industry to become a more attractive target to cyber-adversaries while clinicians have become more dependent on these digital systems.
On the other hand, cyber-threats are evolving rapidly as attacks are becoming increasingly targeted, sophisticated and well-executed. As a result, health care finds itself exposed to more threats and sees increased risk; a cyber-incident can impact the privacy of sensitive patient data and interfere with hospital operations and care delivery, in addition to patient safety.
This developing tension between rapidly evolving digital systems and the information they hold while protecting them against today’s cyber-attacks will require a new thinking and an improved approach to cyber-defense. In this article, we discuss seven ideas that health care IT professionals should consider.
Data Point No. 1: Hospitals will no longer accept medical devices that aren’t proactively secured.
In the past, medical devices were shipped to hospitals and device vendors would all but hope there were no cyber-security vulnerabilities within the devices. If a vulnerability is found, vendors would react and try to mitigate via hospital-based intervention, or address the issue with a device update.
This may have been acceptable years ago, but with increasing connectivity, a growing dependency on devices for care delivery and a rapidly evolving cyber-threat landscape, this approach no longer provides sufficient security. Hospitals today are demanding that devices are proactively secured because they can't—and don't want to—deal with the repercussions of devices that are not secure.
Data Point No. 2: Leading medical device manufacturers are competing on cyber-security vulnerability disclosure trends.
An analysis of ICS-CERT cyber-security disclosures reveals device vendors reported 400% more vulnerabilities per quarter since the Food & Drug Administration (FDA) released its Postmarket Cybersecurity Guidance in December 2016, a potential sign of improving compliance. But only a subset of device vendors, representing only a subset of device types, are actively participating in this type of coordinated vulnerability disclosure, indicating that broader adoption of transparency is still lacking in the industry.
Although thought leaders have established a path forward, improvement is still required. An approach to proactive security (i.e., designing security into the device) will help reduce the number of security disclosures a manufacturer will have to manage and make it easier for hospitals to dedicate their limited resources and focus their security activities to the few critical cases.
Data Point No. 3: FDA regulatory guidance promotes proactive security.
With the FDA Premarket Cybersecurity Guidance (drafted October 2018), device vendors will need to implement cyber-security best practices spanning both technical and process interventions. In considering the technical best practices recommended by the FDA, including cryptographic signatures, encryption and device monitoring, hospital procurement teams have confirmed alignment with the FDA’s expectations. The FDA established that a device vendor cannot delegate the responsibility for security to its hospital customers, but instead it must demonstrate consideration of the process and technical features outlined.
Therefore, to meet regulatory needs, medical device vendors will require improved processes (design, testing, release, postmarket management) as well as the use of security technology to provide the best possible foundation of security.
Data Point No. 4: Cyber-security is not just data privacy, it’s a patient safety concern.
The FDA repeatedly has shared that there has been no report of patient harm as a result of a medical device cyber-security incident. However, research has shown a 13.3% higher mortality rate for patients experiencing a cardiac arrest whose care was delayed by only four minutes. Considering the impact of WannaCry malware on the UK National Health System resulting in 19,000 appointments being rescheduled, it is hard to imagine there were no direct patient impacts as a result of this cyber-incident.
Data Point No. 5: Broader trends in connectivity and non-hospital-based care mean the threat exposure is expanding.
Health care has been shifting outside of the traditional hospital environment to offset increasing costs in care delivery, to enable remote patient geography and to accommodate populations that are unable to access a Health care Delivery Organization (HDO) on an ongoing basis. These changes have been great for patients and providers, enabling ongoing monitoring of patients even when they’re not in the HDO. But it also means that connected devices operate outside of the secured and monitored HDO network, while sending data back to providers within the HDO network. The introduction of these connection points serves as the introduction of additional threat vectors that need to be managed.
Data Point No. 6: Process security is inadequate in isolation, such as patching for known vulnerabilities.
The importance of patching cannot be understated in software lifecycle management. However, in health care, there is an added complication of clinical care. A review of vulnerability disclosures indicates a 50% increase in frequency of patching since the FDA post-market guidance was released in 2016. While this shows great progress, there is no correlation between CVSS score severity and frequency of patching.
Furthermore, it is commonly accepted that HDOs are challenged with timely with patch management. This is due to several reasons: regulations that can slow down the release and adoption of medical device patches, challenges of aligning patch deployment with clinical schedule and economic limitations.
Data Point No. 7: Security tools must account for clinical use cases to be effective.
There are a variety of engineering challenges that are unique to medical devices, such as unpredictable device connectivity, small device size, limited system resources, device management by hospitals, device operation behind a firewall, unknown “at home” security landscape and, perhaps most importantly, clinical reliance on continued functionality.
Traditional Internet of Things (IoT) security solutions do not consider the unique needs of medical devices and therefore introduce additional challenges when deployed in a health care setting.
If you have a suggestion for an eWEEK Data Points article, email [email protected].