Connected Health and Cybersecurity: Advice about the Device

By: Greg Garcia

November 17, 2021

Categories: AAMI News, HTM Professionals, Medical Device Manufacturers



Hack the Device, Hack the Human

Whether we’re in the doctor’s office for a routine checkup, monitoring our health and heart rate with a wearable device on a morning jog, or having surgery in the operating room, we rarely think about the potential vulnerability to cyberattacks of the network-connected devices that are enabling our care. However, the benefits from rapid advances in the use and capabilities of “connected health” also come with potential risks.

According to the American Hospital Association (AHA), the U.S. is home to 6,210 hospitals, each with 50 to 500 beds and 10 to 15 networked devices per bed. The 931,203 staffed hospital beds across the nation translate to some 14-million connected medical devices—just at the bedside—many of which must be protected against cyberattack and other threats and vulnerabilities. Thus, it is evident that patient safety depends on cyber safety.

This fact is acutely on the minds of both healthcare providers who manage the devices and medical technology and health information technology (IT) companies that manufacture them. Certain principles are understood when we think about healthcare cybersecurity:

  1. Because the threat landscape is constantly evolving, network and device security have difficulty keeping up.
  2. Healthcare institutions do not have the time, money, or resources to independently fix cyber vulnerabilities.
  3. Patching for updates and vulnerabilities in the medical device ecosystem can be more complicated than your average IT update because a human, not an app, is connected to that device and “system reboot” is not an option.
  4. Government regulation is limited in its ability to achieve the balance of innovation, effectiveness, security, and privacy.

Overcoming these challenges is recognized as a shared responsibility, and the public and private sectors are working together to address these healthcare cybersecurity challenges in various ways.

The (Cyber) Doctor Is In

The Health Sector Coordinating Council (HSCC)—a public-private advisory council of health sector and government stakeholders dedicated to strengthening the nation’s critical healthcare infrastructure against all hazards—convenes these interdependent stakeholders to improve security and resiliency across the healthcare ecosystem. This includes direct patient care, medical technology companies, pharmaceutical companies, labs and blood banks, plans and payers, and health IT.

To deal with specific concerns about medical device security, an HSCC cybersecurity task group cochaired by the Mayo Clinic, Becton Dickinson, and the Food and Drug Administration (FDA) worked more than 18 months to publish, in January 2019, a best practices guide for medical technology companies: the Medical Device and Health IT Joint Security Plan (JSP).

The JSP uses “security by design” principles throughout the product life cycle of medical devices and health IT solutions. It identifies the shared responsibility among industry stakeholders to harmonize security-related standards, risk assessment methodologies, and vulnerability reporting requirements to improve information sharing between medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). The JSP is a living document and will be updated as required to adapt to the ever-changing threat environment for medical devices and health IT solutions.

New task groups were formed in 2019 and 2020 to flesh out elements of the JSP that were addressed only at a high level. In particular:

  • The Legacy Medical Device Security Task Group, cochaired by Intermountain Healthcare, Elekta, and FDA, is developing guidance on how we can deal with the challenging issue of aging medical technologies that have reached the end of supported life—whether for security or operational efficiency—but are not easily replaced or managed because of expense or complexity.
  • The Model Cybersecurity Contract Language Task Group, cochaired by Mayo Clinic, Siemens Healthineers, and Premier Inc., has developed for publication (before the end of 2021) a “model contract” that lays out the most commonly considered cybersecurity terms and conditions to be negotiated between an MDM and its customer, the HDO. The prenegotiated clauses represent the best thinking about recommended contract terms that should be acceptable to both MDMs and HDOs, with exceptions for unique conditions in the procurement. This template can reduce time, cost, and confusion associated with typical contract negotiations.
  • Finally, the Vulnerability Communications Task Group, cochaired by Abbott, Fresenius Medical Care, and FDA, is developing uniform ways for HDOs, MDMs, and government to coordinate how we communicate with patients and other stakeholders about device vulnerabilities and security.

Medicine doctor and stethoscope in hand touching digital user interfaceImproving the cyber safety of health technology and clinical operations requires a coordinated, proactive approach. Because patient safety depends on cyber safety, medical device manufacturers, healthcare delivery organizations, government bodies, and other stakeholders are all responsible for contributing to a robust cyber hygiene.

Read the Ingredients: Software Bill of Materials

In 2022, a potential new HSCC initiative will continue the work started by the National Telecommunication and Information Administration on developing a software bill of materials (SBOM)—in our case, specifically for healthcare. Most software depends on third-party components (libraries, executables, or source code), but there is very little visibility into this software supply chain. It is common for software to contain numerous third-party components that have not been sufficiently identified or recorded. If users don’t know what components are in their software, then they don’t know when they need to patch. They have no way to know if their software is potentially vulnerable to an exploit due to an included component—or even know if their software contains a component that comes directly from a malicious actor.

The reality is this: When a new risk is discovered, very few organizations can quickly and easily answer simple, critical questions such as “Are we potentially affected?” and “Where is this piece of software used?” This lack of systemic transparency into the composition of software across the entire digital economy contributes substantially to cybersecurity risks, as well as to the costs of development, procurement, and maintenance.

Software spans industry verticals, and the underlying components can come from a common foundation of open-source and commercial software. Because of this, any solution must work across the entire ecosystem. This is the motivation for an SBOM, which is a “list of ingredients” in software. Greater transparency allows earlier identification (and mitigation) of potentially vulnerable systems, supports informed purchasing decisions, and incentivizes secure software development practices. The idea of a “list of ingredients” is not particularly new, but current trends in security make transparency absolutely essential.

Medical Device Security and the Wider Healthcare Ecosystem

Through our public private collaboration, these and other critical issues are being addressed in sector-wide workstreams, such as:

  • HSCC resource for health providers called the Health Industry Cybersecurity Practices.
  • The FDA’s Patient Engagement Advisory Committee, which sought to understand how best to communicate cybersecurity risks in health risk communications to patients.
  • Efforts to define and operationalize the imperative for SBOMs to help health systems understand which software components are in the devices and systems they purchase and hence how to manage associated risk.
  • Expansion of the annual DefCon Biohacking Village Device Hacking Lab, where hackers, HDOs, and MDMs collaborate to identify vulnerabilities.
  • The International Medical Device Regulators Forum cybersecurity working group, made up of industry and regulators and jointly led by FDA and Health Canada, which is seeking to promote a globally harmonized approach to medical device cybersecurity via its 2021–25 Strategic Plan.

Patient Safety Requires Cyber Safety

We see all these collaborations as signs of significant progress. In 2017, a healthcare cybersecurity task force of industry and government leaders diagnosed that healthcare cybersecurity is in “critical condition.” That was a wake-up call to the industry, and we mobilized to address its recommendations for getting us out of critical condition and into a more secure and resilient posture.

The work and tools highlighted in this article are part of a coordinated, proactive approach to improving the cyber safety of medical technologies and clinical operations. Recognizing that patient safety depends on cyber safety, we have a shared responsibility to treat this cyber infection with robust cyber hygiene and a proactive approach.

Greg Garcia is executive director of the Health Sector Coordinating Council’s Cybersecurity Working Group, an industry advisory committee to the federal government on critical infrastructure protection for the health sector. Email: