Kurt Hagerman, Coalfire

Healthcare Breaks Out in 2019

By Kurt Hagerman
Kurt Hagerman, Coalfire

Trends that push boundaries and shake up medical device security.

In 2018, digital transformation and flexible care models were key themes in healthcare, as providers extended their healing reach from the healthcare delivery organization (HDO) to the patient, wherever they live and work. From a patient’s lens, this positive trend enables time and cost savings, flexibility, and a more comfortable care setting; for healthcare delivery organizations (HDOs), it provides challenges to existing care models, IT assets, and security capabilities; and for medical device manufacturers and service providers, it offers a world of expanding opportunity.

2019 will see an escalation of this trend and more: All providers involved in the care continuum will expand their technologies, deploy new solutions, and shore up their support infrastructures to meet patients’ demands for flexibility. For medical device manufacturers, we predict the following seven interrelated trends will predominate in 2019:

  1. As remote care options expand, devices will proliferate and get smarter: Healthcare will continue its expansion outside the four walls of the HDO to serve patient demand. As HDOs struggle with the IT and cybersecurity challenges associated with supporting remote monitoring, telehealth, and consumer wearables in a world where the perimeter is now every patients’ location, medical device manufacturers will see a huge growth in demand. We also expect to see not only new types of smart healthcare devices, but also new capabilities as device manufacturers build applications and data analytics into their technologies, offering expanded services to both patients and HDOs. A challenge has been a lack of CMS reimbursement codes for remote care and devices; but clearly this trend is here to stay, and CMS has been working to address this gap.
  2. More devices yield more ePHI and data to protect: More remote devices inevitably produce vastly more electronic protected health information (ePHI) to store, assess, and monitor/analyze as well as more security event data. Expect to see a rise in the use of emerging technologies to manage the workload, including advanced predictive analytics, artificial intelligence and machine learning deployed in cloud environments. We also predict device manufacturers will increasingly move into the data management space, collecting and analyzing this data. This is a significant shift in the where, how, and who of data analysis in healthcare. The FDA has released a set of updated security parameters to help device manufacturers build more secure devices—”Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” We strongly recommend that manufacturers read, understand and follow this guidance to build security into their technologies from the ground up.
  3.  More data requires a shift in architectures: The ability to handle the ingestion, analysis, storage and protection of this influx of data will surpass organizations’ ability to do so with legacy gear. We believe new architectural models will also be leveraged within cloud deployments to become more efficient in managing the increased task volume. Look for a growing shift toward server-less architectures as well as containers and microservices. These newer models enable coding environments and applications to be treated as non-monolithic, enabling agility and flexible scaling of isolated functions for improved efficiency and usage models, driving down operational costs and improving productivity.
  4. Blockchain will be employed for data integrity/security: Blockchain is best known for its use in cryptocurrency, but its distributed, high-trust model and unalterable record has demonstrated great promise in helping assure data integrity, trust and resiliency, as well as implementing preventive maintenance (patching) and managing supply chain applications (tracking and asset management). For device manufacturers wrestling with growing volumes of ePHI, ensuring its security both in transit and at rest will be paramount, and we believe blockchain will increasingly become a cybersecurity and management enabler.
  5. Cybersecurity will become a key point of differentiation: Gone are the days when people plugged in connected devices without a care for security. Patients and HDOs will demand security assurances, and for those manufacturers that understand the threat landscape and have modalities to continually update and patch their devices to achieve that holy grail—threat resistance—product differentiation can truly be achieved. Security will become a major selling point and differentiator, particularly as device manufacturers are able to leverage blockchain for data integrity and security. The FDA’s pre-market guidance referenced above is a good start; but for those companies truly wanting to differentiate, it’s important to understand that security frameworks are rarely sufficient in and of themselves to ensure security. We recommend technical testing as well to determine whether the controls implemented were effective in securing the product. Then organizations would be well advised to promote their dedication to security.
  6. Device manufacturers get targeted by phishing/spear phishing attacks: The more monetized data an entity maintains, the better target they make. As device manufacturers move into the data analytics space, they will likely attract attackers with their highly valuable and concentrated healthcare data stores. Phishing/spear phishing are still some of the most effective, highly utilized entryways to the enterprise network and assets, and the techniques are getting increasingly more targeted and sophisticated. Manufacturers will want to ramp up their security awareness training and offer dedicated phishing testing programs.
  7. Vendor risk in the spotlight: High-profile hacks introduced by third-party vendors have brought this risk into the spotlight as we roll into 2019, and we expect to see it as a focal point in healthcare security. Device manufacturers will be under increasing scrutiny; and as they expand the data analytics space and enter the domain of “partner,” they will need to be ready to demonstrate that they are meeting a high bar around security and privacy (pointing back to Trend #5: “Cybersecurity will become a key point of differentiation”). Increasingly, HDOs are adding security addendums to contracts and procurement policies with manufacturers—device manufacturers should be prepared to provide independent validation of their security program and controls to provide the needed transparency.

Healthcare will strive to reach the triple aim of improving population health, improving the patient care experience, and reducing healthcare costs (and some organizations add a fourth, “attaining the joy of work” for care delivery professionals). These aims are enabled by technology and challenged by security and privacy risk. Let’s see how 2019 and beyond unfold!

About The Author

Kurt Hagerman, Coalfire