I am honored to work with CHIME on the seven-part Medical Device Security webinar series to educate the community on healthcare cybersecurity. We’ll be sharing takeaways from this webinar on the Ordr blog.
I kicked off and hosted the first episode on July 6th featuring a panel of thought leaders on the topic of medical device cybersecurity. Episode One’s expert panels included the following:
- Greg Garcia, Executive Director of the Healthcare and Public Health Sector Coordinating Council (HSCC)
- Jessica Wilkerson, JD, Cyber Policy Advisor of the All Hazards Readiness, Response, and Cybersecurity (ARC) team of the FDA’s Center for Devices and Radiological Health
- Rob Suárez, CISO of Becton Dickinson (BD) and chairman of the Medical Device Innovation Consortium’s (MDIC) Cybersecurity Steering Committee and the Advanced Medical Technology Association’s (AdvaMed) Cybersecurity Work Group
- Dr. Jeff Tully, MD, physician and anesthesiologist at UC San Diego Health, and hacker activist and co-founder of the CyberMed Summit
- Dr. Christian Dameff, MD, Assistant Professor, emergency physician, and Medical Director of Cybersecurity at UC San Diego Health, and hacker activist and co-founder of the CyberMed Summit
The challenges of device security was a central area of discussion. One particular concern the panelists brought up was the limited attention that is generally dedicated to security by clinical staff in hospitals. As noted by Dr. Tully, “for the average clinician, cybersecurity awareness is limited to the pesky, mandatory annual training modules we have to do to maintain our privileges at a hospital.” This is an example of “security by compliance”, as Ms. Wilkerson put it, which is precisely what the future regulatory framework aims to avoid. Patient safety is a top priority for all doctors, though the potential adverse impact to patients of neglecting cybersecurity standards is not always apparent. Promoting an industry-wide culture of vigilance towards device security and building recognition of the very real, tangible threats that exist is paramount to hardening the U.S. healthcare system against malicious attack.
An even more formidable obstacle is the capability of healthcare delivery organizations (HDOs) to implement the necessary or mandated cybersecurity solutions. “There are hospitals that are ‘cyber-haves’ and ‘cyber-have-nots’, and they’re going to be like that for a very long time,” said Dr. Dameff. He continued, “There are hundreds of hospitals in this country that don’t have two nickels to rub together,” explaining the dilemma faced by many rural critical-access hospitals. Struggling just to pay staff during the pandemic, these HDOs will likely be unable afford security technologies like multi-factor authentication, immutable backups, and appropriate network segmentation. Yet another resource constraint is the deficit of cybersecurity professionals in rural America needed to implement, operate, and support new systems and practices. As concurred by Mr. Garcia, this is a problem that necessitates support and incentive from regulators as opposed to penalization for noncompliance. In other words, more carrot and less stick.
Legacy devices and their inherent vulnerabilities were discussed by Ms. Wilkerson and Mr. Garcia, both of whom are familiar with the difficulties of crafting policy and standards governing the security of antiquated technology. Mr. Suárez emphasized the importance of being proactive with device cybersecurity, as securing fifteen or twenty-year-old devices is a very expensive endeavor. Today’s technology will be the legacy technology of tomorrow, so futureproofing for tomorrow’s threats is essential for mitigating the same predicament our healthcare system is experiencing currently.
Among the other topics covered by the panelists was the communication of known vulnerabilities to clinicians and patients. However, as noted by Dr. Tully, cybersecurity literacy of the audience must be considered when deciding how and when to inform them of vulnerabilities in devices with which they interact. Medical device manufacturers (MDMs) inevitably are vital to disclosing vulnerabilities and disseminating that information to doctors, whom in turn educate their patients. Unfortunately, clinicians often neglect to communicate device vulnerabilities to patients. According to his research on patient preferences, Dr. Dameff found that patients overwhelmingly desire to be informed of vulnerabilities in the devices they use or have implanted, even if there is no realistic threat. “Cyber Informed Consent” is the terminology he used to describe the responsibility of clinicians to effectively articulate vulnerability information in a meaningful way. Ms. Wilkerson further reiterated this point, as the FDA discovered the same sentiment in their own patient surveys. In her own words, “It should not be the FDA, or the manufacturers, or anyone else deciding what the patient wants, or doesn’t want, to know. That is for the patient to decide.”
Be sure to mark your calendars for our recap of the second episode of CHIME’s medical device security webinar series Aligning Healthcare Cybersecurity; we will recap the episode in a guest blog next week. The second episode featured Julie Chua, Director of GRC within HHS, and Erik Decker, CISO at Intermountain Health, who both lead the HHS 405(d) task group, and Rob Suarez, CISO of BD and lead on the MedTech Joint Security Plan. We discuss two publications released by health industry public-private partnerships that have impacted Medical Device Security more than any others.