Moving Target: What Makes Cybersecurity So Hard?

By Maria Fontanazza
October 1, 2020


• Categories: 03-Manufacturing Execution, 04-Product Design & Development, 05-Quality/Regulatory

We all know the phrase “change is hard”. In the case of medical devices and cybersecurity, change is exactly the variable that creates a challenge in ensuring product security all the time. This topic was the focus of an entire session at last week’s MedTech Intelligence Medical Device Cybersecurity Conference. Seth Carmody, vice president of strategy at MedCrypt (and former cybersecurity program manager at FDA), led a panel discussion titled, “Why Is Security So Hard?”. The following is a brief look at some of the takeaways from the conversation.

The Basics: Why Is Security So Hard?

• Change. “Change is fundamentally hard,” said Anura Fernando, director and principal security architect at BrightInsight. “We not only have to worry about the product itself changing, but we also have to worry about the environment changing. We have a lot of variables to manage over time. Just when you think things are stable, they change again.”
• Device complexity.
• The human factor. For example, taking a system offline for maintenance can impact clinical use.
• It can’t be reactive. A security breach will have a reputational and economic impact on both the medical device manufacturer as well as the healthcare organization—it’s a shared responsibility. Think of cybersecurity as buying an insurance policy, said Erich Murrel, chief information security officer, medical devices, for the U.S. Air Force. Companies should take proactive measures to keep things safe and secure before something negative happens.

“Heterogeneity and personnel practices, and capabilities and technologies are continually evolving and changing over time, so you have to change…Security is never stagnant.” – David Guffrey, biomedical cybersecurity specialist, Partners Healthcare

Legacy Devices: Are We in a State of Continuous Legacy?

• Industry maturity. Many products currently in development, along with their next-generation versions, do not have a level of security that is adequate. The panelists agreed that the industry is still maturing in this area and has about 10–15 years until it reaches where it needs to be regarding optimal device security.
• Definition of security. The device developer and the provider may have different definitions. In addition, a healthcare delivery organization will have different resources available to ensure security depending on its size. For example, a larger hospital may have better integration capabilities and an ability to support secure system architecture, while a small, local hospital may not have any resources—and this is where a medical device manufacturer may want to consider ensuring it has the right controls to provide more security to this hospital. “It goes back to what does the customer need,” said Guffrey.

Cost: Making the Business Case

• It’s a customer need. Pairing privacy and security is a conversation that makes it up to the C-suite—this is the investment that is necessary in order to have a product that can be sold.
• It’s a regulatory need. HIPAA and FDA require a level of compliance.
• It’s a legal need.

Where Do We Go From Here?

• We have to make it [security] easier,” said Carmody.
• There needs to be a common understanding for meeting privacy and security controls.
• Continued investment, commitment to improvement, and shared responsibility on the part of medical device manufacturers and healthcare delivery organizations.
• Figuring out how to strike the between security and interoperability in a way that makes connective technologies viable.
• Keeping and strengthening the direct relationship in the triangle of safety, effectiveness and security. One of these elements cannot be removed.