Cybersecurity Doesn’t Start Or End With Information Technology
Mike has over 15 years of experience in healthcare, including extensive experience designing and developing medical devices. MedCrypt, Inc.
As the healthcare industry increasingly relies on connected medical devices, the potential consequences of unmitigated cybersecurity vulnerabilities grow more widespread. Similar to how the CrowdStrike patch management issue raised concerns about the impact of software maintenance and testing failures, the voluntary recall of certain wireless insulin pumps by a leading medical device manufacturer (MDM) highlights the critical impact software can have on delivering reliable patient care. These pumps were vulnerable to hacking, which could potentially deliver incorrect insulin doses to diabetic patients. These incidents underscore the importance of integrating secure connectivity in medical devices and software systems to prevent such life-threatening situations.
The Traditional Approach To Cybersecurity
Historically, cybersecurity focused on protecting corporate infrastructure, with investments in firewalls, anti-malware and network security for enterprise IT. Unlike standard IT systems, medical devices interact with healthcare environments and sensitive patient data and are highly customized, typically not accepting commercial security products, thus demanding tailored security and vigilance.
The evolving landscape of cybersecurity for MDMs necessitates a shift in budget allocation to ensure cybersecurity is prioritized, integrated into all product lines and supported by secure product life cycle management processes. Product security isn’t the same as traditional IT security and must be planned for and designed into devices accordingly. Device security requires integration into device design from the very beginning through deployment and maintenance and with consideration for a variety of constraints, such as device operation, available compute resources, unpredictable connectivity and user (patient or clinician) interaction.
Unique Challenges In Medical Device Security
Medical devices face distinct cybersecurity challenges that can’t necessarily be met using existing operation budgeting models:
• Inter- And Intra-Connectivity: Ensuring secure communication between medical devices, hospital systems and patient apps is complex. A single device is often composed of various endpoints that must communicate securely with each other. Ensuring communication confidentiality and integrity across these platforms requires sophisticated cryptography implementations that must be supported by the available device resources and maintainable while devices operate in the field.
• Regulations And Compliance: MDMs must comply with stringent regulations such as FDA cybersecurity guidelines and the ability of device operators to comply with HIPAA requirements. These guidelines outline security requirements and cite specific standards to ensure patient safety and privacy, including code signing, vulnerability management and maintenance procedures over a device’s lifetime.
• Cybersecurity And Clinical Use Cases: Effective medical device cybersecurity requires collaboration among engineering, product security and other specialized teams. Because devices operate in complex environments, including patient and clinician interaction, these teams must understand the clinical use case to ensure the device is “secure by design.”
• Clinical Efficacy: Security measures must be designed so they don’t compromise clinical operation. For example, making a pacemaker physically larger to accommodate additional hardware for security and providing a larger battery to power the additional computations is difficult to justify. Security must be embedded within a system without altering its clinical functionality.
The Need For A New Budgeting Approach
Consequently, MDMs must adopt a new budgeting approach to cybersecurity. This approach involves three key elements:
1. Understanding Business Value: Manufacturers need to integrate security considerations into the business value of their clinical interventions. This means recognizing how cybersecurity enhances the overall value proposition of their devices, ensuring that security is seen as a critical component of product quality and patient safety and reducing business risks resulting from insufficient security.
2. The Impact On Business Models: Security considerations must influence business models, especially for connected devices. For example, a secure hub for surgical robots or a “rent-not-buy” capital equipment model can provide new revenue streams if enabled with robust cybersecurity measures.
3. End-Of-Life Support: Manufacturers must better quantify and plan for the ongoing security exposure of devices in the field. This includes ensuring security measures remain effective throughout the device’s clinical life and providing end-of-life support to manage and mitigate any residual risks.
Practical Steps For Securing Your Cybersecurity Budget
Securing the necessary budget for cybersecurity involves a strategic approach:
• Building A Business Case: Justify the need for increased cybersecurity budgets by demonstrating the potential risks and costs of cyber incidents. Use successful strategies and case studies as support.
• Engaging Stakeholders: Communicate the importance of cybersecurity to board members and other decision-makers. Provide clear, evidence-based arguments for why cybersecurity investments are necessary.
• Elevating Product Security To A Board Responsibility: Boards need to understand the impact of security on their business and take on responsibility accordingly. Boards also should establish a culture of cybersecurity and support related organization and budget changes.
Cybersecurity Budgeting In Practice
An illustrative example comes from a leading multinational medical device manufacturer. The global security division recognized the urgent need to integrate secure connectivity into current and next-generation devices. To drive proactive investment in cybersecurity, it created a compelling business case, highlighting the regulatory, reputational and financial risks of an existing device.
By quantifying the ROI of cybersecurity investments and enumerating regulatory risks, they highlighted unaddressed cybersecurity gaps and resulting business risks. This included proposing an incremental connectivity development roadmap with security recommendations for existing connected devices to maximize short-term value.
These recommendations used secure-by-design principles for current and next-gen devices. Highlighting regulatory, reputational and financial risks spurred over $1 million in cybersecurity investment and led to adjustments in the five-year plan for next-gen devices. This proactive approach fortified the company’s cyber defenses, made cybersecurity a strategic priority and demonstrated its business value and innovation potential.
Conclusion
The evolving cybersecurity landscape for MDMs requires a shift in business and budgeting strategies. Traditional approaches to cybersecurity are no longer sufficient. MDMs must re-evaluate their budgets and adopt a comprehensive approach recognizing the interconnectivity of software maintenance, testing and security. This will better protect their products, help ensure patient safety, maintain operational integrity and reduce regulatory and market risks. The stakes are high, and robust cybersecurity measures are more urgent than ever. Healthcare thrives when patients receive the latest technology, dependent on the reliability and security of our medical device ecosystem.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
link