20/20 Hindsight is so 2020 in Healthcare Cybersecurity
…but after a year of entirely unpredictable occurrences, how can one speculate on what 2021 will bring? For some, the focus developed as they adopted new strategies overnight, while others have had to fundamentally change their way of working.
By Vidya Murthy
During 2020 and driven by the COVID crisis, the field of medical device cybersecurity certainly faced change as remote patient monitoring, telehealth and new, integrated workflows were rapidly deployed across healthcare.
From the various (virtual) conferences our team attended this past year, we saw a few consistent themes that it felt appropriate to focus on:
- Many medical device manufacturers (MDMs) shared how the health crisis highlighted the challenge faced in building a coalition around security. When faced with prioritizing spend to develop a clinical priority, or talk about the potential risks in cybersecurity, it’s understandably a difficult justification. It wasn’t doom and gloom for all. Several teams shared success stories of translating security into a business case that was compelling for their product leadership teams to rally around.
- Incident response came up as top of mind for many in the field. This is likely a direct result of the surge in incidents across pharma companies and healthcare delivery organizations. With ad-hoc centers set up for COVID-19 and the adversarial environment they’re operating it, one may argue that we’ve lost before we’ve even begun.
- The praise for leveraging third party tools was evident. A government leader shared how even with an effectively infinite budget, to be impactful in tackling cybersecurity threats they leverage tools (add in what kind of tools?). We are in the beginnings of building data that perhaps has insights in it, but without tools to digest it’s a wasted effort.
With all that in mind, what will 2021 look like?
Connectivity will continue to increase.
In a push for care to be delivered outside of a hospital the emergency of telehealth and remote patient monitoring during the pandemic won’t stop. We will see continued adoption of connectivity in healthcare. If anecdotal evidence isn’t sufficient, the CMS confirmation to expand coverage of telehealth services demonstrates the money behind this movement.
FDA Premarket Cybersecurity Guidance Enforcement.
The administration initiatives and anticipated finalization by the FDA of the 2018 premarket cybersecurity guidance draft, will result in significant expectation for 510(k) processes to demonstrate a sufficiency of cybersecurity risk consideration for all medical devices. While anecdotes have been whispered in the virtual halls of conferences this year, hopefully 2021 brings more transparency on enforcement of cybersecurity requirements faced by MDMs during the device approval process.
Pervasive Vulnerability Disclosures
2020 ended with SolarWinds and Amnesia:33, leaving many realing with the impact and attempt to contain the potential risk as the year began. These types of wide-spread vulnerabilities are deeply embedded in our software supply chain and seem to be disclosed at a higher rate than we have historically experienced. It would be reasonable to imagine this trend will continue, with great emphasis on heavily adopted, low level technologies.
Continued Increase in Healthcare Breaches
From 2019–2020, there was a 27% increase in the number of reported health data breaches reported through the Department of Health and Human Services breach notification portal. With the equivalent of more than 80% of the US population now having had their data be breached, it seems society has become desensitized to losing their personal health information. This is in direct contrast to the very tangible monetary impact felt by hospitals, device manufacturers, regulators, patients and security practitioners. We have been trying to solve healthcare cybersecurity at the hospital level for nearly a decade now. It’s not working. If we do not fundamentally change how we approach this problem and shift upstream to be proactive in embedding security, there is no hope in combating the frequency of breaches.
Waiting for Requirement Finalization will Leave you Behind the Curve
Between patients, customers, regulators, technologists, device manufacturers and healthcare providers, there seems to be hope that each will finalize on a requirements list for delivering secure healthcare. While each stakeholder is rapidly aligning on solving today’s concerns, waiting for a single standard to rule them all will leave you waiting for good. Our industry cannot wait for complete alignment, but must rapidly deploy best practices today while architecting for the next generation of healthcare cybersecurity. This is no longer a nice to have, but an imperative that got a reprieve as we all recover from the pandemic. If we only incrementally improve, we will never meet the needs of our ecosystem.
Follow MedCrypt on LinkedIn and Twitter for more updates on all things healthcare cybersecurity and medical devices.
