Connected medical devices have become essential for modern healthcare. Their prevalence has improved healthcare immensely but also brought an increased threat of cyber attacks. Last year saw a 55% increase in cybersecurity attacks on healthcare providers in the United States alone.
With patient data, health records, and critical infrastructure at risk—and connected devices only set to become more widespread and complex—the industry needs to reconsider its approach to cybersecurity protection.
Our health systems have had to transform how they operate during the coronavirus pandemic. From staff to resources, healthcare services have been at or over capacity in many countries for the best part of eighteen months.
Partly due to this pressure, the surge in connected medical device adoption has seen the industry make a decade’s worth of progress practically overnight.
As many healthcare organizations rush to adopt connected solutions, however, many are having to reflect on the cybersecurity implications of connectivity. With HCOs encountering a near 50% increase in cyberattacks by the end of 2020, the need to better address vulnerabilities in digital health systems is more pressing than ever.
Cyberattacks aren’t just becoming more frequent, however; they’re also becoming more sophisticated. Recent years have seen a range of new threats come to the fore: 18 zero-day vulnerabilities—codenamed Ripple 20—were identified recently by Cybersecurity business JSOF, while a range of vulnerabilities in IPNet Software, named URGENT/11, poses a particular threat to the healthcare industry according to FDA.
It’s easy for us to chalk cybersecurity risks up as just another complication digital health providers need to consider when operating in the space. But, as the ramifications of cyberattacks become more severe, the need to act is all the greater.
So how exactly should healthcare providers look to update their approach to cybersecurity?
Don’t Rely Just on Guidance
As of just a few months ago, the industry now has some much-needed, new cybersecurity guidelines to work with in the form of the FDA’s 2018 Cybersecurity Guidance document.
The problem is a seven-year gap since the last release of federal guidelines has seen many U.S. states take matters into their own hands and build out individual device security regulations. Many of these laws—like the California State law, for example—require that a very prescriptive approach be followed for devices to gain approval, in contrast with the FDA guidelines, which leave implementation open to individual interpretation.
A piecemeal approach that rests on multiple different guidance documents will only lead to substandard implementation, especially as guidelines at state, federal, and international level are all likely to change as technology develops. While it’s crucial to follow the relevant regulations and guidance, it’s important to stay abreast of the latest developments, too.
A Better Approach to Cybersecurity
Medical devices were long seen as safe from cyberattacks, due to their comparative lack of connectivity. With the arrival of widespread connectivity, however, most devices are linked up in one way or another, making the medical industry just as much a target as any other.
What that means is security must now be baked into the entire process of creating a medical device. To be truly effective, security needs to be considered by every business function that will use the solution across the entire lifecycle of a device. Ensuring updates are managed securely is also a key part of this.
By unifying disparate elements of the development process, device creators can get a more comprehensive oversight of the problems they face and create solutions that address these holistically.
While secure development can be undertaken in a variety of different ways, ideally it should closely match the processes of a device development team. Asset-based approaches that rely on a development team’s knowledge of what is necessary in a device are most effective, with development teams running security analysis to understand how best to build devices so all assets can be adequately protected.
Device-based encryption keys are just one example of a proactive security approach. Built in during assembly, encryption keys ensure devices transmit data securely when used in the field. All data is encoded with a precise location and starting point, and the integrity of the data is then verified when decrypted at the data center level, guaranteeing it hasn’t been tampered with or otherwise compromised.
This process takes place with no need for integration with a hospital’s EHR system or other networks, reducing cost, complexity, and other risks associated with interfacing with another protected network.
The result is a system that is completely protected from cybersecurity risks, far more efficiently.
Advanced Preparation Mitigates Risk Most Effectively
With connected medical devices now essential to the effective operation of our healthcare systems, a comprehensive approach to cybersecurity is vital.
Regulatory clarity will go a long way in making the process easier, but device manufacturers can’t afford to wait. Device manufacturers must now consider security from the start of the device creation process, right through to the end of a product’s lifetime.
A proactive approach to security is the most effective way to mitigate cybersecurity risks and keep patients and clinicians safe. More than that, it also means less investment is required in the long-term, whether it’s to fix inadequate security processes retroactively or counter large-scale security breaches. And for hospital employees, that means more time to devote to tasks that really make a difference to patient wellbeing.