As healthcare continues to embrace connectivity across medical devices, cybersecurity is more important than ever before. And yet, a recent survey by Irdeto found that only 18% of medtech leaders believe the security built into their medical devices is strong.
Experts from Irdeto, Siemens Healthineers, and H-ISAC recently came together for a virtual panel discussion on what medical device manufacturers need to do in order to enhance their cybersecurity methods to protect their products and ultimately the providers and patients who use them. The panelists included Hans-Martin von Stockhausen, chief product and solution officer and senior product manager of cybersecurity at Siemens Healthineers; Steeve Huin, chief marketing officer and the general manager of Irdeto’s connected health cybersecurity business. Moderating the discussion was Tyler Cyber, a threat intelligence analyst at the Health-ISAC Threat Operations Center. Below are the key takeaways from the discussion.
'Make the business case negative for the bad guys'
Huin said that in most cases, good cybersecurity is all about making things hard enough to deter hackers and make them want to go hack something else because your network or device is too hard.
"It's not necessarily to make things completely impossible to attack because with enough money and time anything can be attacked," Huin said. "It's mostly about making it hard enough that people go and do something else."
Stockhausen agreed and recalled a phrase he once heard about making the business case negative for the bad guys. You can only increase your protection measures so much, he said, because at a certain point before it begins to interfere with the usability of the medical device.
"This is still a constant debate between product teams in U.S.-centric security, how much security is sufficient in the device, and how much security should shine through," Stockhausen said. "I would say really good security is security that goes by unnoticed but is still doing its job."
Achieving that balance is easier said than done though, he admitted. Really strict cybersecurity controls typically have at least some impact on usability, so in medtech particularly it's difficult to define cybersecurity controls in a way that does not impact clinical routine.
Good cybersecurity talent is tough to come by
"From our analysis looking at other industries, and just broadly speaking, there is a global shortage of security engineers, people with the knowledge that is needed, because at this point in time almost every industry in the world is concerned about cybersecurity, right? We are living in a world that is hyper connected, which means that things are getting more and more vulnerable to attacks," Huin said. "…It's true that you need to think about hiring the right people that have that expertise, you need to think about also looking at standards.
There are quite a few cybersecurity standards for organizations to follow for broad guidance, but he also acknowledged that some of those standards are conflicting.
Stockhausen said organizations may discover that even without having any company-wide cybersecurity program or processes there are islands of individuals who are enthusiastic about security, understand the significance of it, and have possibly already started applying cybersecurity measures on a more local level, such as during the design and development phase, testing phases, etc. He recommends forming a community of practitioners to ensure that there's an exchange of knowledge, ideas, and enthusiasm regarding cybersecurity across the company.
Cybersecurity will never be a 'once and done' thing
Huin said cybersecurity never has been, and never will be, a once and done thing. It needs to start with the concept of a product and be carried through not just to commercialization but also in the post-market stage, throughout the product lifecycle.
"At the very beginning ... when you're actually starting to think about what you can build .. you need to ensure that we use the right technology, that you validated the technologies are doing exactly what [they're] supposed to do during your development process, and towards the release, and then of course the postmarket management," Huin said. "And make sure that you keep track of what's going on in the market [with the] device."
Cybersecurity must be embraced from the top down
Medical device manufacturers need to adopt a holistic cybersecurity strategy, with holistic being the key word, Stockhausen said. Every part of the company as well as the company's suppliers needs to adhere to cybersecurity standards, he said.
"And last but not least, all this needs to be picked up by management because only senior management makes security happen," he said.