Medical device makers, regulators and healthcare delivery organizations are increasingly working together to strengthen cybersecurity. But are they doing enough?
Almost no one in the medtech industry disputes the vulnerability posed by cyberattacks. How to go about boosting security is another matter – one on which those stakeholders have recently stepped up their collaboration.One group, the Healthcare & Public Sector Coordinating Council, thinks it has a solution: Health providers and other customers buying a connected medical device should be able to remotely access a cybersecurity bill of materials (CBOM) that would list all commercial, open-source and custom-code software. Available via remote access for customers, the CBOM would also include commercial hardware such as processers, network cards, sound cards, graphic cards and memory.
The council’s recently issued joint security plan calls for more vulnerability disclosures, notices of breaches, software and hardware upgrades and security patch availability. Companies would also need to notify customers before they end technical support for older devices.
“It’s this voluntary framework that establishes best practice for cybersecurity at a medical technology company,” council member Rob Suarez, director of product security at Becton Dickinson, told Medical Design & Outsourcing. “This joint security plan establishes the common ground which many medical device manufacturers, health IT vendors and healthcare providers agreed on.”
Some manufacturers have grumbled about providing hardware information in a CBOM, but an increasing number have pledged to publicly share vulnerability information should hackers breach one of their devices, including industry giants BD, Abbott, Siemens, Philips, Medtronic, Johnson & Johnson, Boston Scientific and Stryker.
Responding to the problem
Abbott is especially aware of cybersecurity challenges. It acquired St. Jude Medical in 2017, just months after short-selling investment firm Muddy Waters publicly claimed that St. Jude cardio devices are especially vulnerable to hacking.
The crisis accelerated Abbott’s efforts to make cybersecurity a priority throughout the entire design and product development process, rather than tacking it on at the end when changes are more expensive and time-consuming, according to VP of cybersecurity Chris Tyberg. Abbott has cybersecurity experts working with its R&D, IT and engineering teams to ensure that they’re designing devices with the right threats in mind, and accommodating for those threats.
Customers want more security, Tyberg told MDO. Abbott last year conducted a cybersecurity survey with the Chertoff Group in which 82% of 300 physicians and 72% of 100 administrators said they wanted industrywide standards so they know what to expect of medical device cybersecurity.
Medtech manufacturers in general are employing measures similar Abbott’s, including BD. Although historically a syringe business, BD now has more than 220 software-enabled devices on the market with a framework designed to achieve security throughout their lifecycle. BD’s cybersecurity motto is security by design, in use, and through partnership, Suarez said.
“We want to understand how clinicians and patients use these technologies and tailor our security controls to their environments,” he told us.
Industry-wide transparency is key, Suarez added. “You can’t secure what you don’t know, so BD has made it a routine practice to deliver things like coordinated vulnerability exposure” information to the U.S. Homeland Security Dept. and to customers so they can protect patients.
“Our approach is really prefaced on these principles and the capability that we’ve built up over the last two years, and that’s what you see reflected in the joint security plan,” Suarez said.
Any progress?
The FDA in recent years has increasingly paid attention to medtech’s cybersecurity challenges, publishing its first premarket cybersecurity guidance in 2014 and a postmarket guidance in 2016. In October 2018, the agency issued an updated draft premarket guidance that includes some postmarket information. It also held a public workshop in January to get feedback on that guidance and worked on the joint security plan.
FDA rests its cybersecurity guidance on three principles: trustworthiness, transparency and resilience, according to Suzanne Schwartz, the agency’s associate director of science & strategic partnerships.
“To bake security in and build it into the design early on in a thoughtful manner is what will enable throughout the entire product lifecycle the kind of resilience that is necessary so that we’re not dealing with some of the real legacy challenges that we have to deal with today,” Schwartz said.
The FDA welcomed input from cybersecurity experts within and outside medtech – as well as from other industries, including the oil and gas sector.
“We certainly don’t want to be working in a silo or reinventing what we do,” Schwartz said.
“The moves that the FDA has made have been monumental,” said Daniel Beard, CTO of medtech software developer Promenade Software. “When you think about the rate that the government moves, it’s like light-speed time.”
Interventional cardiologist Dr. Leslie Saxon has been working with Abbott, Boston Scientific and Qualcomm to educate clinicians so they will accept the importance of cybersecurity similar to the way Americans warmed to environmentalism in the 20th century. Saxon believes collaboration by government and industry is helping medtech catch up with the financial and aerospace industries’ cybersecurity efforts.
“You would never think of littering now, but it took a while for that to get though the culture,” said Saxon, executive director of the University of Southern California’s Center for Body Computing.
Next, she’d like to see medtech companies standardize security breach notifications to providers and patients the way that banks have done for their customers, especially given the increasing numbers of people using connected medical devices in their everyday lives.
A real and present danger
Ransomware and other cyberattacks have stunned the medtech world. In 2016, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital’s computer systems, including blocking access to patient records. The 2017 WannaCry attack affected hospitals in the U.S. and U.K., including medical devices made by Bayer, Siemens and others, according to the Health Information Trust Alliance. And the Homeland Security Dept. issued an alert in 2018 indicating that several GE Healthcare imaging devices were vulnerable to cyberattack.
Manufacturers need to grasp the importance of the CBOM and explaining its contents to healthcare providers, according to Martin Nappi, VP of business development for medical at Green Hills Software. Nappi surveyed doctors and hospitals about medtech cybersecurity last year.
“Most of the clinics and healthcare providers, smaller hospitals, even medium hospitals, didn’t have cybersecurity expertise,” Nappi said. “They really didn’t know what level of security had been built into a system. There’s no way of telling.”
Health delivery organizations can protect themselves from vulnerable devices by requiring vendors to meet the criteria laid out in the joint security plan, according to Kevin McDonald, director of clinical information security for Mayo Clinic and a co-chair of the joint task force.
“We have a process to be able to collect that data, prioritize it, measure the risks and make decisions on purchasing,” McDonald said. “If a device comes in and can meet those criteria, you can take a significant portion of the risk off the table.”
What about older technology?
Most of the recent published cybersecurity advice to medtech addresses new devices, while hospitals, clinics and patients continue to use legacy devices that manufacturers no longer support. Experts predict it will take five to 10 years for users to replace all of their older devices in favor of more secure ones. In medtech, it isn’t always a simple matter to make switches as soon as more secure devices debut. Swapping out a device might require surgery and the accompanying risk of infection and recovery time.
“When you’re a patient who has an implantable cardiac or neuro device, every year, month, day, hour, second that that device lasts is a good thing,” noted Abbott’s Tyberg. “We also need to acknowledge that technology changes fast and cybersecurity changes fast, so we need to be focused on continuing to provide updates to these devices when they need them.”
The pace of advances such as artificial intelligence and 5G cellphone networks will likely slow, but humanity is still in its technological infancy, added John Pappan, director of regulatory affairs and medical device and business strategy for Premier Research.
“It’s significant that we find a balance between where we are and where we need to be,” Pappan said. “We’re too young to know when what we’re doing is too much for our own good.”