Progress is finally happening in healthcare cybersecurity. Traditionally, healthcare has lagged behind other industries in enabling security controls, but amid reports of breaches, medical device vulnerabilities and the attention of federal regulators, innovative companies are advancing positive change. Yet, legacy mindsets still threaten healthcare’s ability to stay ahead of evolving threats, especially as medical device manufacturers strive to innovate fast enough to address real security challenges. Medical industry boardrooms need to adopt policies that match today’s security landscape before patient harm or regulatory intervention forces their hand.
That’s right, policies, not technology, hinder faster adoption of key security protections. Not all is lost, though, as some signs point to potential breakthroughs.
Advances are already being made as many medical device manufacturers are embedding strong security into the devices they have in development. In the years ahead, when these new products go to market, they will be better equipped to deal with the security threat landscape than devices in use today. These new devices will be capable of preventing unauthorized access, encrypting data transmitting to or from devices, stopping malware, and ensuring the integrity of patient care. Many medical device manufacturers are implementing other sorely-needed security practices such as secure design, coding and testing. Many are also performing risk assessments on their devices to understand and rank the potential vulnerabilities. Others, like Philips and Johnson & Johnson, have adopted reporting processes that healthcare providers can use to report device vulnerabilities they discover. Recently, “white hat” researchers have begun collaborating with both healthcare providers and medical device manufacturers to improve security for providers and patients. All of this activity is positive and is moving the industry in the right direction.
Devices Must Evolve with the Times
As encouraging as this progress is, large challenges remain as the industry awaits the arrival of more secure devices that will arrive in the next few years. For example, who believes the security approaches being integrated now will still be sufficient in the next two to five years? Given how quickly technology is evolving, the current medical device product lifecycle is too long to keep up with bad actors discovering new and more sophisticated approaches for hacking connected devices. Device manufacturers need to be able to continually update security on devices through all stages of the product lifecycle to ensure all devices meet the most up-to-date security best practices.
A Green Light From the FDA
What about the challenge of addressing the security vulnerabilities with legacy medical devices? Do healthcare providers have to wait for new technology to emerge, or is there something that can be done in the interim to help secure legacy devices? In the recent draft guidance given in the Post Market Management of Cybersecurity in Medical Devices, the Food and Drug Administration (FDA) provided helpful clarification about improving the security of medical devices. The guidance states:
Changes to a device that are made solely to strengthen cybersecurity are typically considered device enhancements, which may include cybersecurity routine updates and patches, and are generally not required to be reported, under 21 CFR 806.10;
This single statement from the FDA clarifies a policy position many in the industry have held, that it is too costly and takes too much time getting approval to update the security of a legacy medical device. This position can no longer be taken, and security improvements can be made without an overly burdensome and timely process attached.
As stated earlier, most medical device security challenges aren’t technical in nature. They have more to do with decisions and policies being made in the boardroom than the decisions being made by security engineers. Many security engineers know what actions need to be taken to improve the security of the devices they work on. However, getting the needed approval to make these important changes is challenging. I was recently told by a security engineer at a major medical device company that it takes nearly a miracle to get approval to update security on a medical device that has already gone through the FDA approval. This is true even if the update significantly improves the security of the device. Should these types of policy restrictions really be in place, or do they create a larger risk for the patients and doctors that will ultimately use these devices?
New New Policies Require Mindsets
Today’s security landscape requires new mindsets. Organizations can prioritize security as a business advantage where investments today will yield business opportunities tomorrow, rather than being left to pick up the pieces after an incident compels change. Security can be a marketing advantage, and innovative companies will take the long view, rather than viewing security as a cost center.
With many healthcare organizations adding security provisions in their procurement processes, device manufacturers have financial incentives to prioritize security now. This has been made clearer by Mayo Clinic’s comments on the FDA draft guidance where Mayo Clinic has taken a strong position in asking FDA to make its guidelines enforceable, in order to spur security adoption. Investments made today can help prevent security breaches of tomorrow, the types of adverse events that could lead to enhanced regulatory measures and a lack of confidence among device purchasers.
Taking an innovative approach toward security policies will help advance security adoption and make sure medical devices meet patient and provider privacy needs now and in the future. The time is now to put in place more flexible policies and processes for updating security on medical devices.