Experts Urge Healthcare Facilities, Device Makers to Redouble Efforts to Address Cybersecurity Challenge

Posted October 25, 2017

The healthcare technology industry has yet to develop a full understanding of the cybersecurity landscape and has a narrow view of its potential vulnerabilities, according to several experts who spoke at the Cyber Security Summit 2017 in Minneapolis, MN.

“You are not an online shoe store,” cybersecurity researcher Billy Rios told attendees Monday at a half-day session focused on “future-proofing” medical device security. By that statement, Rios—the founder of WhiteScope, a security consulting business—meant that the implications of a cybersecurity attack for healthcare are far more serious than a breach of a retail business. Therefore, leaders in healthcare must set and follow much higher cybersecurity expectations. “A patient could get hurt or killed,” he said.

These experts suggested there is a lack of foresight on the part of both the healthcare technology industry and healthcare delivery organizations (HDOs). Medical device makers are struggling to keep up with ever-more-sophisticated attacks, while HDOs view cybersecurity threats primarily through the lens of safeguarding patient data, a focus that results from the fact that they can face hefty federal penalties if such breaches occur. Yet that emphasis, Rios and others said, can come at the expense of preparing for cyberattacks that could render medical devices useless or bring down entire systems—irrespective of any potential breach of patient data.

“Probably the largest deficiency is not understanding what the threat is,” Rios said.

While the “threat briefing” offered by multiple speakers was sobering, there were some bright spots. Awareness of cyberthreats in healthcare is growing, even if it’s not where it needs to be. Additionally, there are several tools, notably standards and reports, that can help manufacturers and HDOs successfully tackle the cybersecurity challenge. Also, several speakers said that conversations between HDOs and device makers about cybersecurity are increasing, a tacit acknowledgement that a coordinated and comprehensive approach to this challenge is required.

At the “future-proofing” session, speakers offered several tips for device makers and HDOs.

Tips for Manufacturers

  • Incorporate cybersecurity into the development and design of a device, considering the entire life cycle. “Security is not a feature you can add on,” said Stephanie Domas, lead medical security engineer with Battelle DeviceSecure Services. “It is simply an emergent property of a well-defined system.” She urged device makers to consider AAMI TIR57, a technical information report that focuses on risk management for medical device security.
  • Develop a “path” for security patches and upgrades in the initial design of a device. “A lot of medical devices we’re looking at have never been thought out in terms of patches,” said Jay Radcliffe, a senior security consultant and researcher with Rapid7, which focuses on information technology (IT) security.
  • Reach out to the Food and Drug Administration (FDA) with questions. Seth Carmody, cybersecurity project manager with the FDA, encouraged attendees to contact him with questions, saying the agency wanted to work with manufacturers to make sure cybersecurity issues are being addressed early and effectively in the development of devices.
  • Look to the financial sector for a model in terms of how an industry can share cybersecurity information. ”The gold standard” for security engineering, according to Rios, can be found in companies such as Apple and Google.
  • Expect customers to ask about cybersecurity when purchasing new medical equipment and want a defined scope of cybersecurity services over the lifetime of the device. Plan accordingly.

Tips for HDOs

  • Early on, involve the health IT and healthcare technology management departments in all procurement decisions related to medical equipment and systems.
  • Address cybersecurity in your contracts, and specify service and support expectations with vendors.
  • Develop a broader view of cybersecurity, understanding that it’s much more than an effort to protect patient information.
  • Spend more on health IT. According to Dan Lyon, principal consultant with Synopsys Software Integrity Group, a Ponemon Institute study from earlier this year found that healthcare IT spending averaged 6% annually, compared to 12% to 16% for other sectors.
  • Look to standards for help. One example cited by speakers was ANSI/AAMI/IEC 80001, which addresses risk management for IT networks incorporating medical devices.

Several speakers emphasized their belief that the cybersecurity challenge is only going to grow, saying that the threat is far bigger than the work of individual hackers. Entire nation-states, they noted, are looking at how cyberattacks can disrupt the economies and infrastructure of enemies or rivals. They are just learning what they can do, and healthcare is in their sights.

“The motivation of nation-states right now is mostly scouting,” said Ken Hoyme, director of product and engineering systems security with Boston Scientific.

An FBI agent who spoke at the forum agreed. “A lot of the nation-states are in the system now to see what they can do,” said Christopher Golomb, a supervisory special agent with the department’s Minneapolis division.