Alex Butler, Manager, Medical Device Solutions, MasterControl08.31.17
[If you haven’t yet read Part 1 of this series, click this link and do so now. Then come back and read Part 2. Look for Part 3 coming soon.]
The statistics are alarming; according to a new KPMG survey, 47 percent of healthcare providers and health plans said they had experienced security-related HIPAA violations or cyberattacks—up 10 percent from the consulting giant’s 2015 survey. Yet, only 35 percent of survey respondents—100 C-level technology, information and security executives—feel “completely ready” to defend themselves against an attack. What’s more, the survey revealed a disturbing trend—companies are spending less on cybersecurity defense programs at a time when the number of connected medical devices on the market is rapidly increasing. I continue this series of posts on 2017 medtech trends with a look at the risk cybersecurity vulnerabilities pose to device innovation.
Innovation Comes with Challenges
The benefits of connectedness are undeniable. Empowering patients to manage some aspects of their care can lead to fewer doctor visits and shorten hospital stays, reducing the overall cost of care. Unfortunately, connectivity comes at a price, and it’s a price not everyone is willing to pay. According to a 2016 report from PwC HRI, 50 percent of respondents said they would avoid using a connected medical device in the wake of a cyber breach. The report confirms that consumers value privacy over convenience, so unless device makers can assure consumers their devices are safe from attack, new products and technologies will have a tough time gaining market acceptance. What can device manufacturers do to reduce their exposure to cyber threats?
Building Security into the Innovation Process
According to the FDA, your first line of attack is to consider possible cybersecurity risks as part of the design and development process and build security into the device. When seeking approval for a new device, manufacturers should submit documentation about the risks identified, as well as the controls they have implemented to lessen those risks. The agency also recommends manufacturers present their plans for providing software patches and updates to operating systems and medical software. While many device manufacturers are following the FDA’s advice, many are not.
Shodan: The World’s Scariest Search Engine
A recent TrendMicro report, Cybercrime and Other Threats Faced by the Healthcare Industry, found that more than 36,000 healthcare devices were easily discoverable using Shodan, a search engine capable of discovering inter-connected devices that exist online—everything from baby monitors to, you guessed it, medical devices.
The searcher works by scanning the Internet and parsing the banners that are returned by various devices. If inadequate security measures are in place, exposed devices can be easily manipulated by hackers. Security researchers have found many alarming medical device vulnerabilities online, including fetal heart monitors and the power switch for an entire hospital wing.
Of course, security risks don’t always come from external sources. Internal security risks, such as employees sharing login credentials or opening email files from unknown senders, are often harder to detect and prevent. In the end, no device, or device company, can claim to be hack-proof. Therefore, manufacturers should operate under the assumption that breaches will occur and get in the habit of following trends to stay one step ahead of new security risks.
Postmarket Vigilance is Critical
As the FDA has noted, building security into the design of devices isn’t enough. Manufacturers must also implement ongoing monitoring and mitigating efforts to ensure that devices continue to function properly and patient information is secure. The agency emphasizes that “manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.” To do this, the agency recommends establishing a risk assessment process using a cybersecurity vulnerability assessment tool to rate vulnerabilities and determine the need for the urgency of the response, as well as the ANSI/AAMI/ISO 14971 standard (Application of Risk Management to Medical Devices) to assess the severity and impact to health if the vulnerability were exploited.
Industry Tips for Minimizing Risk
While the FDA has provided guidance, the responsibility of building and maintaining safer devices ultimately falls to manufacturers. Security experts at The Chertoff Group, a global risk-management and security company, have identified three areas industry should address to advance device safety:
In this new digitized health ecosystem, balancing convenience, safety, and privacy will continue to challenge industry, regulators, providers, and even patients themselves. Only by working together can we enjoy the benefits of exciting new technologies while mitigating their inevitable risks.
Other parts of this series:
5 Medtech Trends Shaping 2017: Connected Health and Seniors
5 Medtech Trends Shaping 2017: The Pharma/Medtech Convergence
5 Medtech Trends Shaping 2017: Trump’s Impact
5 Medtech Trends Shaping 2017: Disruption from Outsiders
Alex Butler, the manager of medical device solutions at MasterControl, is focused on developing solutions that help medical device companies increase efficiencies, ensure compliance, and speed time to market. Before joining MasterControl in 2014, Butler worked as a product development manager for Opal Orthodontics, a division of Ultradent Products Inc., where he helped launch several Class II medical devices, including the Opal Espirit Class II Corrector. With more than five years of direct medical device experience, as well as a deep understanding of the FDA’s submission process and audit procedures, Butler is a vital part of the MasterControl product management team.
The statistics are alarming; according to a new KPMG survey, 47 percent of healthcare providers and health plans said they had experienced security-related HIPAA violations or cyberattacks—up 10 percent from the consulting giant’s 2015 survey. Yet, only 35 percent of survey respondents—100 C-level technology, information and security executives—feel “completely ready” to defend themselves against an attack. What’s more, the survey revealed a disturbing trend—companies are spending less on cybersecurity defense programs at a time when the number of connected medical devices on the market is rapidly increasing. I continue this series of posts on 2017 medtech trends with a look at the risk cybersecurity vulnerabilities pose to device innovation.
Innovation Comes with Challenges
The benefits of connectedness are undeniable. Empowering patients to manage some aspects of their care can lead to fewer doctor visits and shorten hospital stays, reducing the overall cost of care. Unfortunately, connectivity comes at a price, and it’s a price not everyone is willing to pay. According to a 2016 report from PwC HRI, 50 percent of respondents said they would avoid using a connected medical device in the wake of a cyber breach. The report confirms that consumers value privacy over convenience, so unless device makers can assure consumers their devices are safe from attack, new products and technologies will have a tough time gaining market acceptance. What can device manufacturers do to reduce their exposure to cyber threats?
Building Security into the Innovation Process
According to the FDA, your first line of attack is to consider possible cybersecurity risks as part of the design and development process and build security into the device. When seeking approval for a new device, manufacturers should submit documentation about the risks identified, as well as the controls they have implemented to lessen those risks. The agency also recommends manufacturers present their plans for providing software patches and updates to operating systems and medical software. While many device manufacturers are following the FDA’s advice, many are not.
Shodan: The World’s Scariest Search Engine
A recent TrendMicro report, Cybercrime and Other Threats Faced by the Healthcare Industry, found that more than 36,000 healthcare devices were easily discoverable using Shodan, a search engine capable of discovering inter-connected devices that exist online—everything from baby monitors to, you guessed it, medical devices.
The searcher works by scanning the Internet and parsing the banners that are returned by various devices. If inadequate security measures are in place, exposed devices can be easily manipulated by hackers. Security researchers have found many alarming medical device vulnerabilities online, including fetal heart monitors and the power switch for an entire hospital wing.
Of course, security risks don’t always come from external sources. Internal security risks, such as employees sharing login credentials or opening email files from unknown senders, are often harder to detect and prevent. In the end, no device, or device company, can claim to be hack-proof. Therefore, manufacturers should operate under the assumption that breaches will occur and get in the habit of following trends to stay one step ahead of new security risks.
Postmarket Vigilance is Critical
As the FDA has noted, building security into the design of devices isn’t enough. Manufacturers must also implement ongoing monitoring and mitigating efforts to ensure that devices continue to function properly and patient information is secure. The agency emphasizes that “manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.” To do this, the agency recommends establishing a risk assessment process using a cybersecurity vulnerability assessment tool to rate vulnerabilities and determine the need for the urgency of the response, as well as the ANSI/AAMI/ISO 14971 standard (Application of Risk Management to Medical Devices) to assess the severity and impact to health if the vulnerability were exploited.
Industry Tips for Minimizing Risk
While the FDA has provided guidance, the responsibility of building and maintaining safer devices ultimately falls to manufacturers. Security experts at The Chertoff Group, a global risk-management and security company, have identified three areas industry should address to advance device safety:
- Develop a common set of standards explaining how to integrate security into device design
- Agree on a methodology for evaluating the benefits and risks associated with devices
- Share knowledge of cyber threats and best practices with the government and each other to build a safer healthcare network.
In this new digitized health ecosystem, balancing convenience, safety, and privacy will continue to challenge industry, regulators, providers, and even patients themselves. Only by working together can we enjoy the benefits of exciting new technologies while mitigating their inevitable risks.
Other parts of this series:
5 Medtech Trends Shaping 2017: Connected Health and Seniors
5 Medtech Trends Shaping 2017: The Pharma/Medtech Convergence
5 Medtech Trends Shaping 2017: Trump’s Impact
5 Medtech Trends Shaping 2017: Disruption from Outsiders
Alex Butler, the manager of medical device solutions at MasterControl, is focused on developing solutions that help medical device companies increase efficiencies, ensure compliance, and speed time to market. Before joining MasterControl in 2014, Butler worked as a product development manager for Opal Orthodontics, a division of Ultradent Products Inc., where he helped launch several Class II medical devices, including the Opal Espirit Class II Corrector. With more than five years of direct medical device experience, as well as a deep understanding of the FDA’s submission process and audit procedures, Butler is a vital part of the MasterControl product management team.