Tactics for Improving Medical Device Cybersecurity
1,266,000.
That’s how many web attacks were blocked, not counting successful attacks, per day in May 2017, according to Symantec’s Internet Security Threat Report …and that doesn’t include spam, phishing, and malware attacks.
In the early days of computing, programmers used to concoct and launch annoying, but mostly harmless, viruses and worms to gain notoriety. More recently, however, rampant cyber-threats like crypto exploits and malware have posed severe challenges to finance and technology companies. With growing emphasis on data, connectivity, and access, the life sciences industry is under increasing pressure to improve cybersecurity.
More Connections, More Problems
According to a 2016 study conducted by RockHealth, 46% percent of consumers are now considered active digital health adopters and use tools like wearables, biometric trackers, and health apps frequently. As a result, healthcare providers and hospital systems have begun incorporating mobile technologies into their care models to better engage their patients and improve outcomes. This activity is consistent with trends projecting the mobile health market to increase to a share of $23 billion in the global economy.
As big data and digital health capabilities have grown in popularity and prevalence, so too has the risk of cyber-attacks. Over the years, high-profile medical hacks like Dick Cheney’s pacemaker malfunction and Johnson & Johnson’s insulin pump recall have made for striking headlines. Incidents like these aren’t anomalies – a study conducted by the Ponemon Institute suggests major health systems experience cyber-attacks on a monthly basis. Up until now, most medical device manufacturers have been unable to implement the necessary cybersecurity infrastructure to keep pace with the increasing rate of cyber-attacks.
What’s The Worst That Could Happen?
The consequences of cyber-attacks can be terrifying. Researchers from the University of Birmingham (UK) and University of Leuven (Belgium) have successfully proven that common wireless medical devices like insulin pumps, pacemakers, and defibrillators can be weaponized through cyber-attack. Moreover, the study demonstrates that the necessary reverse engineering to weaponize these devices can be performed remotely with limited resources or capabilities.
Aside from the obvious physical dangers to patients, cyber-attacks cause institutions to undergo significant financial bleed-out. A whitepaper from Protenus estimates that breaches in the healthcare industry cost a stifling $6.2 billion annually. While the cost of individual breaches varies with the significance and/or size of the data being compromised, an average breach across all industries costs about $4 million. In the case of a small breach, the primary sources of cost are lost revenue, reputation, and incurring lawsuits. When breaches become larger, the cost often swells with inspection and remediation activities.
Losing both money and patients due to cybersecurity issues has motivated healthcare providers to revamp their policies and take a more stringent approach to which devices they purchase and utilize. If a medical device manufacturer cannot demonstrate a strong cybersecurity program or infrastructure, providers will look elsewhere for their medical device needs.
What Can You Do About It?
Because hackers are extremely persistent and continuously work to uncover holes in defenses, CIOs of medical device companies have to be equally meticulous. To maximize innovation and keep pace with the threat of cyber-attacks, medical device CIOs need to consistently evaluate their IT strategy and implement new policies as capabilities develop and new cyber-threats emerge.
While solutions vary based on the needs and objectives of your business, there are certain elements every cybersecurity professional should consider.
1. Apply Familiar Techniques
Often, you can approach cybersecurity risk as you would a quality initiative. Applying the lifecycle approach to assess and address the potential gaps in your cybersecurity ensures that your device maintains a level of security from start to finish.
2. Leverage Available Resources
The FDA, NIST, and HITRUST have each published guidance documents that explain cybersecurity best practices, specific weaknesses to test for in a device, how to employ encryption defenses, and protect against radio signal-based attacks.
3. Look Outside Industry
Financial and Tech companies have fought decade-long wars against cyber-attackers and have since implemented high-level cybersecurity protocols to protect their assets.
4. Collaborate. Educate. Repeat.
Maintaining open lines of communication with your industry peers allows manufacturers to work together to shed light on their shared problems. Employing strategies like coordinated vulnerability disclosures allows for a timelier resolution to attacks that could threaten the entire industry, and not just one company. Also, consider ways you can educate providers and patients on cybersecurity relative to your products. What data is being collected? How is the data being collected and transferred? What steps can the provider or patient take to mitigate the risk of attack?
Addressing cybersecurity is an increasingly business-critical process requiring a nearly constant, concerted effort within the life sciences industry. To innovate with confidence and integrate digital solutions, medical device manufacturers must consider the real threats of cyber-attacks and take action.
How is your organization addressing cybersecurity? What new challenges are you facing? Is cybersecurity built into your development process? Please don’t hesitate to share your thoughts on all things cybersecurity with me using the contact info at the top of the page.
Co-author and contributions by Adam Kershner