Special thanks to the H-ISAC member, a Senior Principal Cyber Security Engineer, R&D, who wrote this article
and in the spirit of information sharing, agreed to let us post it in our Finger on the Pulse blog.
The number of companies that comprise the current healthcare system is staggering. They range in size from quite small to immensely large and they all are interconnected in one way or another. Their collaborative efforts stretch across the entire continuum of healthcare practices and are immensely efficient. One of the most notable of these efforts is the partnership between health delivery organizations (HDOs) and medical device manufacturers. Together, they provide their patients with the best of the best medical care in the world at a truly affordable cost. According to Senior Principal Cyber Security Engineer, Bill Hagestad, a noted expert on the subject, “the taxonomy of competitiveness has developed into a true collegial cyber cooperative. MDMs now share immense amounts of information with each other about the latest cybersecurity issues.”
Here are some of the areas where their interests overlap:
- The free market reigns almost supreme – The medical device manufacturing (MDM) industry is incredibly competitive. As such, the various manufacturers – from the new ones to the established – are quite territorial in their development of new equipment. Obviously, no company would choose to share its proprietary information about a new piece of equipment with a competitor, yet manufacturers and delivery organizations do, in fact, cooperate. MDMs share whatever information is needed to help provide better safety for their patients.
- Cybersecurity is paramount –The cybersecurity of medical devices will never be nor should it ever be considered a competitive advantage amongst medical device manufacturers. Fortunately, MDMs have wholeheartedly embraced this philosophy and regularly share information between themselves and other healthcare providers to ensure the safety of their customers and patients. Nowhere is this concern more evident than in the healthcare industry.
- The government and global organizations are helping– While private MDMs and their associated HDOs were largely left to their own devices in the past, many state and Federal oversight commission hearings have recently taken to overseeing this part of the healthcare system. In particular, the Cyber Division of the Food & Drug Administration (FDA) and other global cyber threat intelligence sharing organizations such as the Health Information Sharing and Analysis Center (H-ISAC) are working together to mitigate this problem and offer a much better alternative than isolation.
An Illuminating Case Study
In the business world, nothing elucidates a point more effectively than a practical example. As medical devices – from pacemakers to insulin pumps – become more integrated into the Internet of Things, they also become more vulnerable to cyber attacks. One of the more recent intrusions to attack these types of devices was the WannaCry and Petya/Non-Petya attack. These ransomware viruses demanded payment to allow users access to critical healthcare devices. The reprehensible actions of these criminals served to highlight the vulnerability of relatively obscure but highly important medical devices to the healthcare community.
Subsequent events saw the medical device industry receive a number of mandates issued by the FDA and other state and Federal regulatory bodies. Specifically, the FDA encourages MDMs to issue advice for the management of medical device security risks throughout the total product life cycle. This process also includes closely monitoring the devices already around the market, not just the new ones, for security issues. Companies are urged to actively update and protect their healthcare products in a timely manner and safe for the individual. The process of updating and patching medical device software is complex but not new to the established software technology industry. Still, it is a very involved process that deserves serious oversight especially when people’s live are at stake. Dr. Suzanne Schwartz and her colleagues at the Cyber Division of the Food & Drug Administration cover this aspect of the process in greater detail in her recent blog at https://blogs.fda.gov/fdavoice/index.php/2017/10/fdas-role-in-medical-device-cybersecurity/.
To its credit the MDM industry has truly met the challenge of cooperating with other healthcare entities and government agencies to provide security and safety for the patients under their care. For more detailed information on the significance of a consolidated collaboration between healthcare delivery organizations and medical device manufacturers, please contact the National Health Information Sharing & Analysis Center online at h-isac.org and mdviper.org.