Five hundred billion. That’s the estimated number of times a patient will be exposed to a connected medical device over the next 10 years. Yet we as an industry don’t know anything about those exposures, said Dale Nordenberg, M.D., co-founder, executive director of Medical Device Innovation, Safety & Security Consortium. “Our digital health structure is a new utility that we haven’t matured like electric & water,” he explained. “We want to safeguard this innovation.”
Key stakeholders in medical device cybersecurity gathered during a recent MedTech Intelligence conference on the topic to discuss that exact point—ensuring innovation continues while securing devices and protecting against the constant and evolving threats.
“For all the best efforts that industry and all stakeholders can take, the ability to entirely eliminate the possibility of a hack or exploit occurring just doesn’t exist,” said Suzanne Schwartz, M.D., associate director for science and strategic partnerships at CDRH. “We have to understand that these are not entirely preventable.”
Cybersecurity isn’t just about patient privacy—it’s also about the security of a medical device, said Laura Elan, North American service leader for UL, LLC’s regulatory solutions and eHealth business. “There’s no such thing as a product that isn’t hackable.”
Biggest Threats in Cybersecurity
According to the FBI, some of the biggest threats the agency is seeing in the cybersecurity arena are:
- Phishing emails. Some companies remove all connectivity so employees cannot click on email links. However, it is advised to avoid clicking on any links included in emails.
- Ransomware. While many organizations pay the ransom, the FBI advises against this approach and encourages companies to contact the agency if it suspects it is a victim.
- Cloud backups. While storing data in the cloud can be useful, where do your vendors keep their servers? Are they in the United States or in a country that is an adversary?
- Supply chain security. Be careful where you do business and manufacture products, especially if it’s in adversarial countries.
Plan for an Attack
Once an incidence occurs, the FBI gets involved. However, companies will be better positioned to deal with an incident if they follow three general recommendations, advises Kiran Raj, former deputy general counsel for the Department of Homeland Security:
- Have an incident response plan in place before an incident (It may sound obvious, but there are companies that don’t have a formalized plan).
- Don’t have the response plan on the shelf. Companies must be prepared to deal with an incident and should go through the motions ahead of time.
- Understand the scope of your company’s interaction with the government in advance. This includes having a plan in place on who should be contacted from the respective agencies.
Companies can sign up to receive FBI alerts by emailing Cywatch@ic.fbi.gov alerts. This resource will keep companies updated on breaking news and other FBI updates in cybersecurity. The agency also encourages device companies to have a relationship with their local/regional FBI office. When an incident does occur, a compliant should be filed with IC3 (the FBI’s Internet Crime Complaint Center). This Center allows FBI to keep track of patterns and trends related to complaints as well.