In retrospect, cybersecurity in 2020 suffered the same fate as many other things in our professional and personal lives—it took the back seat. COVID-19 drove the agenda, directly or indirectly, and deprioritized everything else. There was a war to be fought against the pandemic, and we had to go to war with the weapons we had, not the ones we needed.
It would have been nice to have been able to develop a pervasive and proactive strategy to address cybersecurity risks as we rolled out telehealth for the masses, moved employees out of the hospital and into their homes, stood up collection and vaccination sites in parking lots, converted conference centers to temporary care facilities, and rolled out masses of urgently needed devices to meet the demand created by the onslaught of intensive care patients.
We had to ramp up production, often in factories that had never built medical devices, and we had to introduce new designs of simplified and mass-producible systems. Security took the back seat as the virus dictated priorities—there was simply no other choice.
This dire situation created a number of challenges, including clinical and cybersecurity risks. In recognition of hazards that have developed in today’s environment of unprecedented stresses and rapid technological changes, the ECRI Institute observed in its most recent list of Top 10 Health Technology Hazards the “technology management challenge unique to this moment in time: the need to manage large numbers of medical devices and supplies that have only been authorized for temporary use.”
This uniquely poses both clinical safety as well as cybersecurity risks through the process of emergency use authorization (EUA). This is an inherent part of such an emergency process—we are in a crisis and the risk through the accelerated process is generally believed to be lower than the risk due to not having the underlying devices, technologies, or drugs available. Under the circumstances, we had to trade off the thoroughness of the process against the speed of availability of new treatments.
While required to meet the immediate needs, this is unprecedented territory for healthcare. There is anticipated guidance on transitioning these EUA devices into a traditional and more thorough premarket approval process, but what about the time in between? Will there be a retroactive review of the behavior of these devices to confirm whether there were cybersecurity vulnerabilities that may have been exploited? Or will there become a regulatory precedent for such relaxed approval to have existed without introducing undue risk yet providing novel technologies sooner and therefore be more beneficial? Given many hospitals already struggle with inventory management, it seems an even more daunting task for them to identify which devices can continue to be used under EUA approval, which are not, and which require some sort of action to bring them to the final approved state, e.g., via a software update.
Now, though, is the time for learning and preparation for the next crisis. We, the healthcare industry, need to develop a much more foundational approach to cybersecurity. It cannot be reactionary—it needs to be proactively designed into devices and be an inherent part of our engineering and quality system processes. It cannot be an afterthought because any reactive approach will again need to yield to the next health crisis and therefore ultimately fall short.
Another cybersecurity lesson learned is related to our emergency stockpiles. We learned the hard way that our supply of drugs, protective equipment, and critical care devices like patient monitors, infusion pumps, or respirators was insufficient. Again, an opportunity for improvement as we need to develop a better emergency supply and reserve on a local and national level. Yet, any software-based device that is warehoused for maybe years needs to be ready at the go. In the next pandemic, these devices need to be distributed effectively and deployed rapidly—there won’t be time to update operating systems and deploy patches. Again, this would call for a proactive and inherent approach to cybersecurity.
We know that cyberattacks on the healthcare sector have been going up—2020 showed a 27% increase in healthcare breaches reported to the U.S. Department of Health and Human Services (HHS). COVID-19 has only accelerated that trend through lowered defenses and desirable intellectual property, like research related to treatment and vaccine development. Unfortunately, cybercriminals and nation-state attackers are using this opportunity to their advantage.