The inside joke among healthcare IT executives is that there are two kinds of CIOs; those that have been hacked and those that don’t know they have been hacked.
The recent Wannacry cyberattacks that temporarily crippled the National Health System (NHS) in the UK had limited impact in the U.S. Notably; the malware was able to infect a medical device by healthcare company Bayer, prompting other major medical devices manufactures such as Becton and Siemens to release IT security notifications. A chain is only as long as its weakest link, and in the chain of healthcare information security, many consider medical devices to be the weakest link.
We know that the Wannacry malware event was due to the failure of some NHS hospitals to apply a Microsoft security patch. I have written here previously about the aging health IT infrastructure that makes it vulnerable to cyber attacks. As the healthcare sector shifts rapidly towards a value-based (VBC) care era, data from a range of interconnected devices (Internet of Things or IoT) is playing an increasingly important role in improving population health management and improved healthcare outcomes. Importantly, smart medical devices cannot simply be “turned off” as former VP Dick Cheney did to his pacemaker on his doctor’s advice some time back.
As with any large corporation, medical devices companies have a set of challenges that directly impact IT security at the enterprise level. Also, FDA guidelines require manufacturers to consider device security during the product development lifecycle to mitigate cybersecurity risks.
Promoting cyber-hygiene for medical devices
But what happens to devices that are already out there in the market, especially ones that are running on operating systems (OS) that are a couple of generations older than the current versions? The FDA released guidelines in late 2016 laying out an approach to the post-market phase for medical devices promoting “good cyber hygiene” through routine device cyber maintenance, employing a risk-based approach to characterizing vulnerabilities, and timely implementation of necessary actions to mitigate emerging cybersecurity risks and reduce the impact to patients.
Beckman Coulter (Beckman), a medical device manufacturer that has been around since 1935, has devices that stay in the market for a long time, sometimes 20 years or more, representing multiple generations of a product. Legacy OS has its challenges, says Scott T. Nichols, Director of Global Product Privacy and Security at Beckman. He refers to postmarket device security management in terms of an “onion” strategy, which refers to the multiple layers at which security must be managed; the data layer, the applications layer, operating system layer, device (PC) layer and network layer, wrapped properly with policies and procedures.
According to Nichols, while it is relatively easier to manage device security for new designs and new products, it’s a lot harder for legacy devices out in the market. This is due to various factors including varying levels of maturity in IT security practices among users, lack of resources, and most pertinently, varying degrees of device security practices among medical device vendors.
The FDA’s Postmarket Management of Cybersecurity of Medical Devices guidance points out that cyber security risk management is a shared responsibility among stakeholders including the medical device manufacturer, the user, and an array of technology providers including OS vendors, application developers, and systems integrators, many of whom are not regulated by the FDA. Given the heavily regulated nature of the device industry, even the smallest of changes had to go through an onerous compliance review and approval process. More recently, the FDA has provided device manufacturers with the latitude to apply security patches that do not impact patient safety, and this provides much-needed relief to the devices industry to deal quickly with cybersecurity vulnerabilities.
Towards a set of industry standards
One of the challenges for device security is the lack of a set of industry standards and a commonly accepted security certification process for medical devices. While the health IT sector is governed by HIPAA and has HITRUST certification for organizations, this isn’t adequate for medical devices, according to Nichols. What is needed is a set of standards specifically for the devices industry. Nichols is involved in a number of initiatives and organizations trying to achieve just that. It’s also important that these standards are industry driven, adds Nichols, so they capture the true user needs and not handed down as a mandate by a federal agency.
In the meantime, Nichols recommends a set of best practices for device manufacturers and users, including a robust and dynamic categorization of their devices and underlying software in terms of criticality and impact. He adds that systems software vendors need to work on improving their appreciation of the needs of a vertical industry segment e.g., medical devices or healthcare. He points out that what may be critical for a software vendor may not be critical for the device manufacturer or the user, and vice versa.
Medical devices, and the broader category of IoT devices are emerging as important sources of data in healthcare. They enable improved population health management, enable remote patient management, and develop personalized care protocols, all of which are essential pillars in the shift towards Value Based Care and lowering the costs of care. Device security is a critical enabler in the future of healthcare.