Last week’s global ransomware cyber-attack that upended hospitals across the globe reminds us that every innovation comes with challenges. In all industries, especially the healthcare industry, connectivity offers tremendous benefits but also increased risk.
Although these attacks disrupted healthcare services and others, the risk extends to every aspect of connected healthcare, including connected medical devices. This industry must come together to address growing challenges.
Later this week, the Food and Drug Administration (FDA) will host a two-day workshop to address this trade-off, with the goal of discussing new tools and best practices to strengthen cybersecurity in medical devices. These types of industry-focused events represent promising opportunities to foster engagement across the healthcare community and demonstrate an industry-wide commitment to trusted cybersecurity measures. Despite isolated studies demonstrating theoretical success, the probability of exploiting connected medical devices to conduct a successful cyberattack is likely low. But the pace at which these threats evolve calls for a collective industry effort to develop a comprehensive security response that gives physicians and patients confidence in the tools they need to make informed decisions.
Connected medical devices provide patients and physicians with technology to better manage chronic conditions, improve outcomes, and reduce the overall cost of care. They enable fewer doctor visits, reduce response times, and shorten hospitalizations by empowering patients to manage aspects of their own care. To mitigate cybersecurity risks associated with connected medical devices, and ensure patients continue to derive their full benefits, industry must not only build security into its innovation process, but ensure resources are in place to conduct ongoing monitoring efforts. While many companies are building security into their design and development stages, technology evolves at such a pace that companies need robust continuous monitoring and mitigation strategies to maintain a strong security posture. As the FDA has noted, effective cybersecurity measures are necessary to assure proper device functionality and to protect health information stored on connected medical devices. Failure to do so can impact device integrity or availability, data loss, and exposure to other potential security threats.
This challenge will only grow as “smart” devices become increasingly intelligent, leveraging new information sets to diagnose, monitor, and treat patients. Today, many view the health and cost-savings benefits of connected medical devices as greater than associated cybersecurity vulnerabilities; however, the time is right for industry to advance cyber protections to maintain this risk calculus. While the FDA has provided cybersecurity guidance, the burden now rests with manufacturers. Specifically, industry should address three topics.
- Standards: Like the pharmaceutical industry has done with prescription drugs, device manufacturers should develop a common language and an industry-wide set of standards to impart confidence in the security of connected devices. Standards should explain how security is integrated into the design process and how manufacturers can learn of and integrate new security best practices into legacy and new devices.
- Risk Analysis: Industry needs to agree on how to evaluate the benefits and risks of connected devices. As security standards are put in place, they should include an ongoing assessment of threats and industry-accepted mechanisms for evaluating cyber risks against clinical benefits and uses. Just as a doctor would communicate to a patient the benefits and risks associated with a particular treatment plan, so too should they be equipped to discuss the benefits and risks associated with connected medical devices.
- Information-Sharing and Collaboration: Medical device manufacturers and the broader healthcare industry should work with government and each other to share knowledge and build a healthcare ecosystem resilient to cyber threats. Much like the financial services and electric power sectors have done with their sector-specific partners in government, the healthcare industry and government should engage regularly to prepare for and respond to today’s evolving threat environment.
These recommendations do not mean to imply that industry has not taken positive steps to strengthen cybersecurity. On the contrary, the National Heath Information Sharing and Analysis Center (NH-ISAC) is an excellent start: it offers healthcare stakeholders a forum “for sharing cyber and physical security threat indicators, best practices and mitigation strategies.” More companies should participate in, contribute to, and engage with this forum as a trusted community.
It would be misleading to surmise that in today’s age of connectedness, any one company can claim to be hack-proof. Successful and responsible companies are those that assess, mitigate and constantly monitor the ever-present threats to critical assets. Creating a resilient healthcare network that embraces the benefits of innovation while mitigating its associated risks is a responsibility shared among device manufacturers, service providers, patients, and physicians. Working together to implement trusted cybersecurity measures will give physicians and patients the tools they need to make informed decisions about health management, and ultimately help maintain the trust and security that make these technology transformations successful.
AUTHORS
Michael Chertoff is a former homeland security secretary and executive chairman of The Chertoff Group, a security and risk management advisory firm.
Jason Cook, an information security and technology expert, is a managing director of The Chertoff Group.
