It’s Impossible to Eliminate Cybersecurity Threat
Five hundred billion. That’s the estimated number of times a patient will be exposed to a connected medical device over the next 10 years. Yet we as an industry don’t know anything about those exposures, said Dale Nordenberg, M.D., co-founder, executive director of Medical Device Innovation, Safety & Security Consortium. “Our digital health structure is a new utility that we haven’t matured like electric & water,” he explained. “We want to safeguard this innovation.”
Key stakeholders in medical device cybersecurity gathered during a recent MedTech Intelligence conference on the topic to discuss that exact point—ensuring innovation continues while securing devices and protecting against the constant and evolving threats.
“For all the best efforts that industry and all stakeholders can take, the ability to entirely eliminate the possibility of a hack or exploit occurring just doesn’t exist,” said Suzanne Schwartz, M.D., associate director for science and strategic partnerships at CDRH. “We have to understand that these are not entirely preventable.”
Cybersecurity isn’t just about patient privacy—it’s also about the security of a medical device, said Laura Elan, North American service leader for UL, LLC’s regulatory solutions and eHealth business. “There’s no such thing as a product that isn’t hackable.”
Biggest Threats in Cybersecurity
According to the FBI, some of the biggest threats the agency is seeing in the cybersecurity arena are:
- Phishing emails. Some companies remove all connectivity so employees cannot click on email links. However, it is advised to avoid clicking on any links included in emails.
- Ransomware. While many organizations pay the ransom, the FBI advises against this approach and encourages companies to contact the agency if it suspects it is a victim.
- Cloud backups. While storing data in the cloud can be useful, where do your vendors keep their servers? Are they in the United States or in a country that is an adversary?
- Supply chain security. Be careful where you do business and manufacture products, especially if it’s in adversarial countries.
Plan for an Attack
Once an incidence occurs, the FBI gets involved. However, companies will be better positioned to deal with an incident if they follow three general recommendations, advises Kiran Raj, former deputy general counsel for the Department of Homeland Security:
- Have an incident response plan in place before an incident (It may sound obvious, but there are companies that don’t have a formalized plan).
- Don’t have the response plan on the shelf. Companies must be prepared to deal with an incident and should go through the motions ahead of time.
- Understand the scope of your company’s interaction with the government in advance. This includes having a plan in place on who should be contacted from the respective agencies.
Companies can sign up to receive FBI alerts by emailing Cywatch@ic.fbi.gov alerts. This resource will keep companies updated on breaking news and other FBI updates in cybersecurity. The agency also encourages device companies to have a relationship with their local/regional FBI office. When an incident does occur, a compliant should be filed with IC3 (the FBI’s Internet Crime Complaint Center). This Center allows FBI to keep track of patterns and trends related to complaints as well.
Related Articles
-
“Velentium is committed to educating the next generation of aspiring engineers and plans to expand this initiative to additional universities around the country, ultimately creating a certification course.”
-
Old justifications or business reasons for security gaps are obsolesced. We need robust medical device cybersecurity, but we need it in a manner that is workable by both MDMs and HDOs.
-
This year, the healthcare industry will step up its fight against cyberattacks because the costs and risks to patient care are becoming too great.
-
The omicron variant of the coronavirus has made clear that the impact of the pandemic is far from over, particularly for health systems and hospitals. The ongoing need to limit close contact between providers and patients means technology will continue…
About The Author
Maria Fontanazza
Editor-in-Chief
Maria Fontanazza has more than 15 years of experience in journalism, marketing and communications. She was previously marketing communications manager and market research manager at Secant Medical, Inc., a manufacturer of biomedical textiles and advanced biomaterials. Fontanazza also served as an editor at MD+DI and has authored articles that have appeared in domestic and international industry publications. Fontanazza has a B.A. in Journalism and Mass Communications with a concentration in New Media and Visual Design, and a Minor in Fine Arts, from St. Michael’s College in Colchester, VT. Follow her industry insights on Twitter at @MariaFontanazza. Contact Maria