During the past few decades, the health-care industry has integrated more digital systems, amassed more digital data and automated clinical workflows. This has caused the industry to become a more attractive target to cyber adversaries, while clinicians have become more dependent on these digital systems.
On the other hand, cyber threats are evolving rapidly as attacks are becoming increasingly targeted, sophisticated and well-executed. As a result, health care finds itself exposed to more threats and sees increased risk, as a cyber incident can impact the privacy of sensitive patient data and interfere with hospital operations and care delivery–in addition to patient safety.
This developing tension between rapidly evolving digital systems and the information they hold while protecting them against today’s cyber attacks will require a new thinking and an improved approach to cyber defense.
This eWEEK Data Points article is based on industry information from Vidya Murthy, Vice-President of Operations at MedCrypt.
Data Point No. 1: Hospitals will no longer accept medical devices that aren’t proactively secured.
In the past, medical devices were shipped to hospitals, and device vendors would all but hope there were no cybersecurity vulnerabilities within the devices. If a vulnerability was found, vendors would react and try to mitigate via hospital-based intervention, or address the issue with a device update. This may have been acceptable years ago, but with increasing connectivity, a growing dependency on devices for care delivery, and a rapidly-evolving cyber threat landscape, this approach no longer provides sufficient security. Hospitals today are demanding that devices are proactively secured as they can’t–and don’t want to– deal with the repercussions of devices that are not secure.
Data Point No. 2: Leading medical device manufacturers are competing on cybersecurity vulnerability disclosure trends.
An analysis of ICS-CERT cybersecurity disclosures reveals device vendors reported 400% more vulnerabilities per quarter since the federal Food & Drug Administration (FDA) released its Postmarket Cybersecurity Guidance in December 2016, a potential sign of improving compliance. But only a subset of device vendors, representing only a subset of device types, are actively participating in this type of coordinated vulnerability disclosure, indicating that broader adoption of transparency is still lacking in the industry. Although thought leaders have established a path forward, improvement is still required. An approach to proactive security (i.e., designing security into the device) will help to reduce the number of security disclosures a manufacturer will have to manage and make it easier for hospitals to dedicate their limited resources and focus their security activities to the few critical cases.
Data Point No. 3: FDA regulatory guidance promotes proactive security.
With the FDA Premarket Cybersecurity Guidance (drafted October 2018), device vendors will need to implement cybersecurity best practices spanning both technical and process interventions. In considering the technical best practices recommended by the FDA, including cryptographic signatures, encryption and device monitoring, hospital procurement teams have confirmed alignment with the FDA’s expectations. The FDA established that a device vendor cannot delegate the responsibility for security to its hospital customers, but instead must demonstrate consideration of the process and technical features outlined. Therefore, to meet regulatory needs, medical device vendors will require improved processes (design, testing, release, postmarket management) as well as the use of security technology to provide the best possible foundation of security.
Data Point No. 4: Cybersecurity is not just data privacy, it’s a patient safety concern.
The FDA repeatedly has shared that there has been no report of patient harm as a result of a medical device cybersecurity incident. However, research has shown a 13.3% higher mortality rate for patients experiencing a cardiac arrest whose care was delayed by just four minutes. Considering the impact of WannaCry on the UK National Health System resulting in 19,000 appointments being rescheduled, it is hard to imagine there were no direct patient impacts as a result of this cyber incident.
Data Point No. 5: Broader trends in connectivity and non-hospital based care means the threat exposure is expanding.
Health care has been shifting outside of the traditional hospital environment to offset increasing costs in care delivery, enable remote patient geography and to accommodate populations that are unable to access a healthcare delivery organization (HDO) on an ongoing basis. These changes have been great for patients and providers, enabling ongoing monitoring of patients even when they’re not in the HDO. But it also means that connected devices operate outside of the secured and monitored HDO network, while sending data back to providers within the HDO network. The introduction of these connection points serve as the introduction of additional threat vectors that need to be managed.
Data Point No. 6: Process security is inadequate in isolation, such as patching for known vulnerabilities.
The importance of patching cannot be understated in software lifecycle management. However, in health care, there is an added complication of clinical care. A review of vulnerability disclosures indicates a 50% increase in frequency of patching, since the FDA post-market guidance was released in 2016. While this shows great progress, there is no correlation between CVSS score severity and frequency of patching. Furthermore, it is commonly accepted that HDOs are challenged with timely with patch management. This is due to several reasons: regulations that can slow down the release and adoption of medical device patches, challenges of aligning patch deployment with clinical schedules and economic limitations.
Data Point No. 7: Security tools must account for clinical use cases to be effective.
There are a variety of engineering challenges that are unique to medical devices, such as unpredictable device connectivity, small device size, limited system resources, device management by hospitals, device operation behind a firewall, unknown “at home” security landscape, and perhaps most importantly, clinical reliance on continued functionality. Traditional IoT security solutions do not consider the unique needs of medical devices and therefore introduce additional challenges when deployed in a health-care setting.
If you have a suggestion for an eWEEK Data Points article, email cpreimesberger@eweek.com.