AAMI News December 2017

Experts Give Healthcare Facilities, Device Makers Tips for Addressing Cybersecurity Challenges

Cybersecurity ChallengesThe healthcare technology industry has yet to develop a full understanding of the cybersecurity landscape and has a narrow view of its potential vulnerabilities, according to several experts who spoke at the Cyber Security Summit 2017 in Minneapolis, MN.

“You are not an online shoe store,” cybersecurity researcher Billy Rios told attendees during a half-day session focused on “futureproofing” medical device security. By that statement, Rios—the founder of WhiteScope, a security consulting business—meant that the implications of a cyberattack on healthcare are far more serious than a retail breach. Therefore, leaders in healthcare must set and follow much higher cybersecurity expectations. “A patient could get hurt or killed,” he said.

Experts at the summit suggested that there is a lack of foresight on the part of both the healthcare technology industry and healthcare delivery organizations (HDOs). Medical device makers are struggling to keep up with ever-more-sophisticated attacks, while HDOs view cybersecurity threats primarily through the lens of safeguarding patient data, a focus that results from the fact that they can face hefty federal penalties if such breaches occur. Yet that emphasis, the experts said, can come at the expense of preparing for cyberattacks that could render medical devices useless or bring down entire systems—irrespective of any potential breach of patient data.

“Probably the largest deficiency is not understanding what the threat is,” Rios said.

At the “future-proofing” session, speakers offered several tips for device makers and HDOs.

Tips for Manufacturers

  • Incorporate cybersecurity into the development and design of a device, considering the entire life cycle. “Security is not a feature you can add on,” said Stephanie Domas, lead medical security engineer with Battelle DeviceSecure Services. “It is simply an emergent property of a well-defined system.” She urged device makers to consider AAMI TIR57, a technical information report that focuses on risk management for medical device security.
  • Develop a “path” for security patches and upgrades in the initial design of a device. “A lot of medical devices we’re looking at have never been thought out in terms of patches,” said Jay Radcliffe, a senior security consultant and researcher with Rapid7, which focuses on IT security.
  • Reach out to the Food and Drug Administration (FDA) with questions. Seth Carmody, cybersecurity project manager with the FDA, encouraged attendees to contact him with questions, saying the agency wants to work with manufacturers to make sure cybersecurity issues are being addressed early and effectively in the development of devices.
  • Look to the financial sector for a model in terms of how an industry can share cybersecurity information. ”The gold standard” for security engineering, according to Rios, can be found in companies such as Apple and Google.
  • Expect customers to ask about cybersecurity when purchasing new medical equipment and to want a defined scope of cybersecurity services over the device’s lifetime. Plan accordingly.

Tips for HDOs

  • Early on, involve the health IT and healthcare technology management departments in all procurement decisions related to medical equipment and systems.
  • Address cybersecurity in your contracts, and specify service and support expectations with vendors.
  • Develop a broader view of cybersecurity, understanding that it’s much more than an effort to protect patient information.
  • Spend more on health IT. According to Dan Lyon, principal consultant with Synopsys Software Integrity Group, a Ponemon Institute study found that health IT spending averaged 6% annually, compared with 12% to 16% for other sectors.
  • Look to standards for help. One example cited by speakers was ANSI/AAMI/IEC 80001, which addresses risk management for IT networks incorporating medical devices.