There’s a fundamental security sea change happening in the medical device world. Driven by the increasing threats of cyber attacks, corporate competition, and the ever-growing need to protect the massive volumes of valuable patient data, Chief Information Security Officers (CISOs) are rethinking how they defend against these evolving challenges.
Medical device security leaders, including those who participated in a recent roundtable facilitated by Protiviti, regularly tell us how their focus is shifting in several notable ways as cyber attacks are rapidly becoming an imminent threat to device and patient security. It is imperative to continually refresh device security, protecting both patients’ lives and the sensitive information around the issues for which they are being treated. Strong security practices also protect both the valuable intellectual property invested in these devices and the manufacturers’ brand reputations.
Increasing Cyber Threats
“Everyone in this industry has the same goal: save lives,” is a mantra that we hear time and time again. The tools being brought to market are developed to fight cancer, manage diabetes and overall improve health, among other noteworthy goals. All these devices also collect and store sensitive patient data, which makes protecting them more critical than ever.
The data protection landscape is perhaps one of the most rapidly evolving areas we’ve seen as vulnerabilities are identified and companies adjust their practices to address those issues. As one of our roundtable participants told us, “historically, we’ve been good about predicting failure modes. Cyber is harder to predict,” adding, “this is not a muscle we frequently use; we must train ourselves to become constantly aware of potential threats and risks. It is important that we are able to respond quickly when an issue arrives.”
The cybersecurity community is aware of a continually growing registry of issues that can exist for medical devices. But, historically, much of the regulatory focus has been on ensuring products are secure at the time of approval, not monitoring and addressing new security threats to already approved devices in the field. We now see entities like the U.S. Food and Drug Administration (FDA) or the European Union Medical Device Regulations (EUMDR) attempting to establish more concrete guidelines to ensure medical devices remain secure throughout the life of the product. Yet, they still have the nebulous requirement to “make sure this is secure so that bad guys can’t get in.”
A Cultural Evolution
The medical device ecosystem is changing at a rapid pace. Today, technicians can interact with medical devices over expansive communication channels such as Bluetooth, consumers can update medical device firmware through their app, and doctors are able to monitor patients remotely. In order to keep pace, companies must change their approach to product centric cybersecurity. To maintain device and patient security, a culture shift must occur within organizations and the industry. Cybersecurity must be an integral part of a medical device’s lifecycle, from the very beginning. The days of dealing with security during the close of development or after production will almost inevitably lead to headaches for the device maker, regulators and potentially, patients. Traditionally, device manufacturers focused on ensuring the product was secure at its release. Finite testing has always been an important strength for this industry. Today, the changing landscape of threats requires much more hands-on management and updating of these devices. It becomes a process that says, “I have to secure this product I am going to release in six months, but I also have to maintain and secure the product released three years ago.”
The question for organizations becomes: “How do we adapt our processes to protect our devices and our customers against these new cybersecurity challenges?” In 2017, medical devices in at least 45 U.S. hospitals were infected with the WannaCry ransomware. Medical devices can run on anything from a custom real time operating system to Microsoft Windows. In the WannaCry instance, a cyber attack geared towards personal computers was able to infect radiology equipment through the hospital’s network and shut down MRI machines until operations could be restored. Since then, the exposure of medical devices has only increased with the inclusion of varied operating systems and new connectivity options. This calls for a different way of looking at risk. One of our roundtable participants put it this way: “Patching and updating products is a completely new concept. We now need to patch, update and manage throughout the product lifecycle.” It is important to note that these patching and ongoing maintenance processes must be incorporated into the standard quality assurance (QA) processes that are already in place across many organizations.
We believe it is important for organizations to work collaboratively with both internal and external resources to maximize security best practices. Yet this represents an important cultural shift in many companies, especially in research and development environments. The changing face of cybersecurity, when applied to the medical device industry, means that the days of writing one policy per product, one time, are over. Now, security must be integrated into every step of the production process and reviewing security procedures regularly becomes a standard way of doing business. Externally, our roundtable participants agreed that setting aside competition is key. “While the industry is hyper competitive, when it comes to security, we are hyper collaborative,” said one. Developing strong relationships with regulators is one step, while being an active participant in industry task forces and forums is another. “Regulators recognize the task forces as key to driving standards and consistency across the industry.”
One of our clients intentionally includes regulators at its annual client symposium. At that event, upcoming regulatory changes are reviewed, allowing the manufacturers “to better understand the reasoning behind the new regulations,” the client said. “All medical device companies have the same mission at heart. Everything points back to patient safety and this understanding helps us meet regulatory requirements more effectively.” They further went on to stress the importance of participation in industry forums to learn and collaborate with others in the industry on how best to combat cybersecurity threats.
Leading Practices: Modernizing the Security Function
The internal challenges to collaboration that many organizations face is a natural result of the growth typical in this industry, where companies traditionally expand through acquisitions. As new companies join the parent firm, internal silos tend to develop and it can be extraordinarily difficult, particularly with something as controversial as device security, to get each silo’s engineering group to agree on a singular security mindset.
To break down those silos, we recommend a centralized product cybersecurity model. In this model, one central office creates fundamental security governance baselines and documentation requirements. Each product division has its own product security representatives, who are aligned with the central office and who facilitate “translating” security requirements to each product. This approach requires strong communication, cooperation and coordination across the organization, but reaps considerable dividends once in place.
Our roundtable participants use this centralized method and have adapted the concept to best fit their unique cultural needs. Both have relatively small teams but have maximized those teams’ effectiveness by involving employees who have deep product knowledge and developing a consistent respect for security and regulatory drivers across the company. Securing support from company leadership is perhaps the most critical factor here, as the “tone at the top” commitment to strong security processes will spread through the organization.
The roundtable participants also recommend CISOs:
- Ensure the centralized team understands the company’s end vision for security
- Enable the team to chart their own path toward that vision
- Define what success looks like
- Remove barriers to achieving that success
- Ensure the security team feels challenged but also be there to help when the team encounters challenges
- Provide the tools needed to get the job done
- Share customer/patient stories with the team to make their work relatable and support their ability to make a difference in patients’ lives.
The CISO’s role in medical device manufacturing firms will continue to evolve along with the ever-changing threat landscape. Developing a mindset of collaboration and communication will help ensure smooth sailing on the waves of that change.