As connectivity within the healthcare ecosystem continues to expand (from medical devices to hospital systems to patients accessing devices and health records), so do vulnerabilities to attacks that expose personal information or comprise patient safety. COVID-19 has heightened awareness of security issues, especially with the increased use of technology such as telehealth. As a whole, the healthcare system has become more susceptible to cyberattacks, but there is no reason to panic, says Axel Wirth, chief security strategist at MedCrypt.
Wirth co-authored the recently published book, “Medical Device Cybersecurity for Engineers and Manufacturers”. He is also speaking at the MedTech Intelligence 2nd Annual Legacy Cybersecurity Conference on September 22–23. In a Q&A with MedTech Intelligence, Wirth explains that the “sky is not falling” and how medtech engineers and manufacturers can implement cybersecurity in a realistic way.
MedTech Intelligence: The introductory description of your recently published book states, “Cybersecurity for medical devices is no longer optional.” Why did you and your co-authors write this book?
Axel Wirth: If you look at the topic of medical device cybersecurity, the general discussion falls into two camps: On one end of the spectrum you have “the sky is falling”—the security researchers, and the headlines in the public press that center around the theme of “someone can hack into my pacemaker.” The other end of the spectrum is the regulatory and standards world, which is becoming increasingly complex—people look at that and say: “this is so complicated, how can I ever solve for that?” It made us realize that we really need something in the middle. It is not a “sky is falling” situation. It is an urgent problem we need to solve, but we don’t need to panic. Instead, we need engineering processes that enable medical device manufacturers to implement cybersecurity without breaking the bank or even exiting the business they’re in. That was our motivation: To put something in front of people that was pragmatic and executable, something that could be followed by companies large and small.
MTI: Has COVID-19 accelerated the urgency of the necessity of security in medical device lifecycle management?
Wirth: In my opinion, it definitely has. The challenge we have right now is being able to execute on cybersecurity as we are all distracted by fighting the pandemic, be it as healthcare providers or as manufacturers of devices, equipment or test kits. I think COVID taught us a couple of things:
One: We were not prepared for it, and we had to set up an emergency healthcare infrastructure in a hurry. All of a sudden we had healthcare staff working from home, patients consulting from home with a doctor who was at home; we had to set up test sites in parking lots; we had to build emergency hospitals in conference centers. Clearly, we had to do it because the pandemic was there, but at the same time, we neglected security. Frankly, we didn’t have a choice. But what we have is a chance to look back at the learnings and do better going forward. What do we need to do better for the next pandemic (and we can safely assume that there will be one)? How can we be better prepared not only from a healthcare delivery and public health perspective but also from a cybersecurity perspective? We need to do better in proactive security and securing this new, distributed infrastructure—we know that patient care is now moving into the home and, for a good part, will stay there. It is said that COVID has accelerated the adoption of telehealth and telemedicine by a decade. Once you place a device into a patient’s home, you will have a harder time managing security. We need to be able to rely on the device being secure rather than the network around the device being secure.
Two: We also learned that we were poorly equipped from a stockpile perspective—and not just PPE but also devices like ventilators and patient monitoring systems. I assume that going forward individual hospitals, states and the federal government will do a better job of having a stockpile of medical devices. We also have to realize that those devices may have been sitting in a warehouse for years by the time they need to be deployed in a hurry—whether for another pandemic or a natural disaster. If devices are needed in an emergency, then they have to be ready immediately, which means we can’t take a traditional reactive approach where someone takes the device off the shelf, installs several years worth of security patches, re-tests the device, and then it can be shipped. It has to be ready to be used right away. That’s another learning from COVID that points in the same direction—that devices need to be designed with better security from the get-go, better than what has been traditionally acceptable. In the book, we lay out teaching medtech manufacturers how to set up processes that result in more secure devices. The book goes a little bit into security itself, but it mainly deals with how to build a secure lifecycle management program around your engineering and manufacturing processes for your devices.
MTI: Are there any other key points from the book that you want to highlight?
Wirth: Security is not purely a technical or engineering issue. Cybersecurity has to become a business objective. An organization must realize strategically how important cybersecurity is and that they need to build a culture of security into development processes from the concept of a new device to it being transferred into manufacturing and eventually shipped to a customer. That entire lifecycle of the device needs to embrace security. It’s a technical topic but it’s not just a technical problem—it’s a business challenge that needs to be looked at as a business problem.
MTI: Regarding the folks who are in the trenches in handling cybersecurity issues—what are some of their challenges in making the business case for the importance of having a culture that embraces and understands the importance of cybersecurity?
Wirth: When we started this book, we have had many discussions with engineers at device manufacturers—they get it, and they understand the problem and what needs to be done to fix it. But they are often having a difficult time convincing their own management that this is important and that the company culture needs to change around the business case for security. With the book, we hope to reach the people in the trenches, those who understand the problem, and help them articulate how it can be solved.
A business case argument is one that is better understood by non-technical executives as opposed to a purely technical argument. The challenge of substantiating the business case for security hasn’t changed much in the last decade—security is a hard cost with diffuse benefits. How do you demonstrate the benefit from investing in cybersecurity—whether a hospital, a bank, or a medical device manufacturer? Security can only be demonstrated through the absence of failure. And from a business/financial perspective, that’s sometimes difficult to prove.
The traditional approach has been more of a reactive one: Ship a device and deal with the security issues as they arise. With the proposed proactive approach, we are laying out the case that investing in security early on will result in lower total costs across the life of a product and helps avoid lasting consequences. I believe that it is the better approach, as we are laying out in the book.
MTI: You will be speaking at the MedTech Intelligence 2nd Annual Medical Device Cybersecurity conference later this month. Can you give us a preview of some of your discussion points?
Wirth: The key topic of this event will be around the specific security challenges of legacy devices—devices that, as a whole or in part, are no longer supported, for example they may have an older operating system. How does the legacy device problem impact the healthcare industry, what are the risks resulting from that, and what can be done to solve it in the future? Solving for this is not easy, and no doubt, this challenge will be with us for a while. We need to make sure that these devices remain secure even if they might not be supported anymore. That requires a significant shift in everything from how those devices are designed to how they are procured and operated.
MTI: Where is the medtech industry right now in terms of cybersecurity, and where do we need to be as we look forward to 2021?
Wirth: The general healthcare industry, including providers, I think ranks well behind other industries—i.e., finance, manufacturing. We know from research that healthcare organizations tend to spend less of their IT budget specifically on security—those numbers are lower than many industries. Specifically, when talking about medical devices, I think the healthcare industry is comparable to other sectors. For example, we know that the energy sector and other utility sectors are equally vulnerable for the same reasons, as they are using equipment that was designed many years ago with a different security paradigm in mind. There are a few industries that have moved ahead. For example, the industrial control system industry is probably a few years ahead from a security perspective compared to medical devices. There’s an opportunity to look at them and learn from what they have done. These systemic infrastructure changes that are required to improve security must be carefully executed over a number of years.
I want to emphasize my earlier point of the need for a pragmatic middle ground. Do not get hung up in what can seem like an overwhelming onslaught of new regulations that make it seem the problem is impossible to solve – but also avoid a panic reaction and rush to a compromise solution.