Cybersecurity For Connected Medical Devices: Best Practices for 2022
In 2020 US hospitals were on the front lines of fighting a global pandemic and a war on other fronts as well. Just as COVID-19 exposed vulnerabilities in physical healthcare resources, it also spurred an inevitable uptick of cyberattacks on healthcare delivery organizations (HDOs).
Healthcare jumped from 10th to 7th in the top 10 industries ranked by cyberattack volume in 2020. Ransomware attacks on hospitals doubled. In some cases, hospital personnel was reduced to using paper to track patient treatment, adding unimaginable stress to an already challenging environment.
HDOs are valuable, vulnerable targets. Many have legacy IT systems designed to collect and share sensitive personal information across departments. The early systems were not designed to securely accommodate the profusion of medical devices of recent years, let alone the distributed nature of the Internet of Things (IoT).
Patient information is among the most lucrative data for thieves selling on the dark web, with an estimated average value of $250 to $1000 per medical record. This is one reason why 32% of healthcare data breaches are classified as “theft or loss,” double that of other industries with an average of 15%.
Healthcare may be 7th on the list of attacks by volume, but health care breach costs are the most expensive of any industry, averaging $7.13m on average compared to other sectors. Energy ($6.39m) and finance ($5.85m) come in second and third.
All of this is a perfect storm for cybersecurity risk: vulnerable legacy IT, lucrative databases, exhausted personnel, and strained physical resources. Add to that a growing profusion of connected medical devices, each one representing a potential entry point for malware. For example, when you consider that a large HDO like the Mayo clinic hosts over 50,000 medical devices, you can begin to see the scale of risk and challenge.
The healthcare industry is at a critical point with data, security, and patient privacy. Read on for some best practices for h MDMs security to help everyone weather the storm.
The Opportunity for Medical Device Companies
Every challenging environment represents opportunities for organizations that prioritize meeting stakeholders’ evolving needs. The FDA is clear on the shared cybersecurity responsibility for medical device manufacturers (MDMs) and HDOs, as this excerpt from its website states:
- Medical device manufacturers (MDMs) are responsible for remaining vigilant about identifying risks and hazards associated with their connected medical devices, including risks related to cybersecurity.
- Health care delivery organizations (HDOs) should evaluate their network security and protect their hospital systems.
- Both MDMs and HDOs are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
It is clear going forward that cybersecurity is a top priority for the FDA. Not only that, but connected medical device security is becoming a critical HDO requirement from MDMs. The most successful MDMs will differentiate in solving important problems for patients and also prioritizing device security for HDOs.
Risks and Challenges
The most severe risk in cyberattacks is compromised patient safety and medical device efficacy. Other potential losses include intellectual property theft, exposure of sensitive patient data, and public relations damage to companies in the wake of cyberattacks.
Medical devices present HDOs with new security challenges because they are physically distributed throughout a system. Server farm locations can be secured with limited entry access, but medical devices are impossible to lock up. Software security updates are also more challenging to execute across devices than in traditional IT networks. Older devices may require manual updates with resource-intensive patching processes.
Best Practices for Medical Cybersecurity 2022
-1. Keep Current with Regulatory Landscape
The regulatory environment is evolving quickly in the US and internationally. This post from greenlight.guru provides a mid-2021 technical overview of the regulatory environment for cybersecurity. MDM professionals should review the following important papers from the FDA as well:
August 12, 2021 – A discussion paper to review cybersecurity issues pertaining to the servicing of medical devices.
Discussion Paper: Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities
May 12, 2021 – President Biden issued Executive Order (EO 14028) on Improving the Cybersecurity of the Federal Government. This NIST response highlights existing FDA guidance documents and international standards on the science of cybersecurity for the premarket review of medical devices and post-market surveillance of cybersecurity incidents and vulnerabilities.
NIST Request on Presidential Executive Order: Comments Submitted by the FDA
November 21, 2021 – Currently open for comments, when finalized, this document will replace the 2005 version to provide information for premarket submissions for the FDA’s evaluation of the safety and effectiveness of medical device software.
GUIDANCE DOCUMENT – Content of Premarket Submissions for Device Software Functions
-2. Design for the Whole Product Life Cycle
Secure connected medical devices require maintenance, monitoring, and updates across their lifecycle. Christopher Gates, Director of Product Security for Velentium, points out that MDMs need to design for the whole product lifecycle, not just development. MDMs need to plan on a continued relationship with the product, supporting security for the entire lifecycle of the product.
-3. Implement a Secure Development Ecosystem
As cybersecurity needs and regulations increase, companies need to train software engineers to create secure devices. Including a Threat Model early in the development process is essential.
-4. Reduce Exposure Risk from Vendors
Screen off the shelf (OTS) software code or third-party vendor and partner products for cybersecurity compliance. The FDA is clear that the MDM is responsible for the performance of any software included in its product, whether developed in-house or not.
For data management itself, look for reputable, regulation-compliant solutions for cloud data storage with analytics and active cybersecurity monitoring.
-5. Anticipate Market Trends
Stay ahead of market trends in security to ensure devices remain compliant and are easily updated. For example, the FDA is pushing to require device developers to include an Software Bill of Materials (SBOM) standard. The FDA also wants to see action plans for timely patch updates for older devices.
Consider the perspective of your market segments and customers. Large HDOs are beginning to screen medical devices for security before granting authorization to join the HDO IT network. For example, the Mayo clinic enforces a Proactive Security Model to screen devices for potential cybersecurity weaknesses. Mayo is a best practice model for HDO’s, and this set of slides clearly illustrates the complexity faced by large HDO’s in managing cybersecurity threats.
Winning the Cybersecurity War
In relation to medical devices, it’s safe to say that cybersecurity is the number one priority for regulators and HDOs in 2022. HDOs are taking action to improve the security of their networks and protect patient data. Regulations are changing as well. Medical device startups and manufacturers that anticipate the evolving landscape will gain a valuable competitive edge. More importantly, they will play an essential role in securing patient data and ultimately winning the war on cyberattacks.
Do you have questions about data storage security considerations such as compliance, configuration, and access control? We can help you with that. Contact us today to get started.