Stephanie Domas will be speaking at the MedTech Intelligence conference, Medical Device Cybersecurity: Legacy Device Remediation, Compensating Controls & End-of-Life | September 26-27, 2019 | Attend in Cambridge, MA or virtually Last year, the healthcare industry experienced a substantial increase in cybersecurity awareness around the use of medical devices. In 2019, expect more of the same. More awareness, more regulatory involvement from the FDA and HHS, and more collaboration among manufacturers, healthcare organizations, federal agencies and cybersecurity services firms. And yes, expect more cyber attacks—and an increased sophistication with which they are executed.
All these “mores” are growing right alongside the increase in medical device connectedness. Medical devices don’t work in isolation anymore; they rely on information from other medical devices, or sophisticated server ecosystems that allow for advanced analytics. This is great if you’re a patient or healthcare provider; but this certainly adds to the roles, responsibilities and workload for manufacturing and operating medical devices on their networks.
The following is a more detailed look at what we expect to see in 2019 in the medical device cybersecurity space:
- Continued awareness and expansion of cybersecurity understanding among medical device manufacturers. This is a never-ending journey, and while 2018 saw great growth here, this battle is never truly won. Just three years ago medical device cybersecurity conferences focused on defining basic cybersecurity; it was not unusual to see a presentation simply explaining what a penetration test meant. The industry has matured immensely these past few years and has moved past knowledge level-setting to advanced presentations sharing the techniques for executing and integrating cybersecurity into design practices.
- Increased collaboration between medical device manufacturers and hospital security teams, driven by the manufacturers. Medical device vendors needed to start the cybersecurity journeys by looking internally and integrating best practices into their design processes. However, once a certain level of maturity is met regarding industry best practices, then it becomes time to meaningfully engage hospital security stakeholders and start to hone their medical device security offerings to meet the desires of the healthcare delivery organizations.
- Increased collaboration between hospital security teams and medical device manufacturers driven by the hospitals. This is the flipside of Number 2. More and more hospitals are beginning to appreciate and accept that their traditional approaches to security IT products don’t work on medical devices. Medical device-specific processes and procedures are needed, and with that understanding comes an increased need for collaboration with the medical device manufacturers.
- Expect more laws regarding cybersecurity that affect medical devices. Take for example the California IoT Cybersecurity bill, which will require by year 2020 manufacturers of IoT devices to ensure “reasonable security features” on their devices.
- Increased outsourcing of medical device security in hospitals. It’s no secret there is a talent shortage when it comes to general cybersecurity knowledge. That shortage becomes even more extreme when you start to look at niche areas such as healthcare cybersecurity knowledge mixed with clinical engineering. This unicorn skillset is required to properly secure medical devices while making sure they properly deliver their clinical function. This will lead to an increased outsourcing of medical device security maintenance as hospitals find they are unable to locate the aforementioned unicorn, and turn to specialized third parties for support.
- New premarket guidance from the FDA. In late 2018 the FDA released a new draft premarket cybersecurity guidance for medical devices. The draft guidance attempts to move the cybersecurity bar even higher for medical devices seeking approval for sale in the United States. Accounting for revisions based on comments received on the draft, we can expect to see the final guidance issued in late 2019.
- Information sharing growing pains. The original push for cybersecurity information sharing started in the 2016 FDA Postmarket guidance, where the idea was introduced that medical device manufacturers should be sharing cybersecurity vulnerability information about their products with appropriate stakeholders. This was geared at helping raise cybersecurity in the community as a whole, allowing one manufacturer to learn from another, while also aiding transparency between medical device manufacturers and hospitals. Expect growing pains this year as the number of medical/healthcare-specific organizations increase—requiring medical device makers to communicate uniformly with all of them. When the FDA guidance first débuted, the Health Information Sharing and Analysis Center (H-ISAC) was considered the go-to clearing house for healthcare cybersecurity sharing. Now over the past year we’ve seen dozens of new sharing groups, with international versions springing up, creating confusion and pressure on manufacturers as to which groups to notify. How many of these groups do they need to join? Getting information approved for sharing in one outlet can be a herculean effort; it’s not feasible to ask manufacturers to prepare and share with dozens of different outlets.
- Increased medical device monitoring. Many of the new medical devices hitting the market today were designed with cybersecurity in mind. However, many older devices are still in use, so expect a decade of slow matriculation of legacy, less secure devices working their way out of the industry. To tackle this issue, medical device makers are looking at ways to retroactively add more security, which is extremely challenging. Monitoring is proving vital here. Purpose-built medical device monitoring tools are going to become essential for healthcare delivery organizations to keep an eye on their legacy medical devices behaviors and provide alerts as appropriate. Traditional IT tools exist, but they don’t understand clinical work flows, or medical specific behaviors or protocols.
Whether you agree or disagree with these predictions, one thing is for sure: The cybersecurity challenge will continue to keep medical device manufacturers, healthcare cybersecurity staff and hospital executives on their toes throughout 2019 and even beyond.