Cybersecurity, emerging technology and systemic risk: What it means for the medical device industry?
In late 2020, the World Economic Forum stated that “the approach to cybersecurity needs to be overhauled before the industry finds itself in any fit state to tackle the threat.”
The WEF singled out five global cybersecurity challenges:
1. Increasing sophistication of cyberattacks and cyber adversaries
2. Widening cybersecurity skills gap
3. Lack of intelligence and operational information sharing
4. Keeping up with regulatory changes and uncertainty
5. Underinvestment and lack of business buy-in
Below, I offer expert insights into these five challenges, as well as paths forward for the medical device industry.
1. Increasing sophistication of cyberattacks and cyber adversaries
Unfortunately, attackers in the medical device arena don’t yet need to increase their sophistication because the vast majority of fielded medical devices have extremely easy-to-exploit vulnerabilities. Attackers don’t have to “up their game” to breach existing medical devices – they can just exploit the low hanging fruit, such as no authentication, no encryption of PII/PHI, no integrity vetting of key data elements, etc.
This is due to a number of attributes unique to medical devices (which are not shared by IT infrastructures). First, medical devices have extremely long lives. In healthcare delivery organizations (HDOs), a 20-year-old medical device in active use is not uncommon. Yet nobody in IT or network security would use a 20-year-old firewall or HIDS! Obviously, there’s a disproportionate reliance on legacy devices in the medical sector compared to others.
Second, medical device developers have not been trained to incorporate security into their development lifecycle. Most don’t know how to include it in the process, how to identify or assess design vulnerabilities and implementation vulnerabilities, and they don’t know what cryptographic primitives should be used in their system to accomplish whatever mitigation they might feel is necessary.
2. Widening cybersecurity skills gap
A personal goal of mine is that within 5 years, I can talk to any medical device developer about cybersecurity and find that they have comprehensive knowledge of all aspects of creating a secure device.
To achieve that, I partnered with Axel Wirth to write and publish the world’s first comprehensive, how-to book on medical device cybersecurity. Also, Velentium has launched a training certification process to train engineers, developers, and managers at medical device manufacturers (MDMs) and other embedded and IoT device designers, so they’ll have qualified, knowledgeable cybersecurity expertise on-staff.
According to a recent (ISC)² report, the global cybersecurity talent gap remains at more than 3 million. Cybersecurity employment must grow by 41 percent in the U.S. and by 89 percent worldwide to fill the existing gap.
Clearly there is huge shortfall of talent in the IT arena, but the situation is far worse for the embedded device arena. Skilled people simply are not available. Automation offers partial solutions for the end consumer, such as an HDO, but historically very few MDMs try to “play nice” with any SIEM, monitoring, or even asset management systems – perhaps in an effort to simplify development requirements and reduce device complexity, perhaps to limit third-party visibility, exposure and liability.
In most deployment scenarios, these systems are forced to make assumptions about the nature of each end point in lieu of being provided detailed information about that end point, which would vastly improve the scenario for automated detection of events. This adversarial relationship between end point manufacturers (including MDMs) and cybersecurity tools needs to end.
3. Lack of intelligence and operational information sharing
This third challenge is actually being addressed rather well in the medical device industry by excellent information sharing and analysis organizations (ISAOs) such as H-ISAC and MedISAO. These organizations provide a wonderful forum for sharing current security events and newly discovered vulnerabilities, but also provide a channel for dialog between security staff at HDOs and MDMs. Before these organizations existed, this type of honest and open communication simply did not occur.
4. Keeping up with regulatory changes and uncertainty
An ongoing teaching opportunity for cybersecurity experts is reminding our companies and clients that meeting regulatory expectations shouldn’t be the “high bar” in your new product development efforts. Yes, you do have to keep up with regulations and take steps to demonstrate that you fulfill them. But regulations are designed to protect end-users and others from cybersecurity exposures in your product – they aren’t designed to protect your business model.
Increasingly, the cybersecurity requirements expressed in regulations represents the “low bar.” Much more is expected by consumers and end-users – not just that you designed and developed the product securely, but that you will be able to provide appropriate support during a cybersecurity event.
5. Underinvestment and lack of business buy-in
This remains a huge problem, even in the medical device field – which is surprising not only because the stakes are so high and so obvious for medical devices, but also because of the rapid rise of regulatory and media attention to the issue in the past decade. Of the 7,000-plus FDA-registered medical device manufacturers, we see the same representatives from the same two dozen (or so) companies at all the med-tech cybersecurity conferences and presentations. Where are the other 6,976 companies?
Once or twice a month, we on-board a new medical device developer client who is surprised to be told that they have to secure their new medical device. The FDA made this clear starting in 2014, and has addressed it many, many times since. You have to start to question the pattern. Is this true ignorance over an emerging property of device development, or just willful ignorance because we don’t want to have to do this?
Many businesses don’t have the risks that matter most to their organization, from a financial or operational perspective, on their radar. They may have some idea of the types of threats that are “out there” – most people have heard of phishing, ransomware, and identity theft, for example – but they haven’t worked to figure out the ways in which their organization and products are vulnerable.
There is often an erroneous assumption in the medical device manufacturer’s board room that their engineers are making their products securely. Yet scratch the surface and you find no provision anywhere for training, budgets, governance, or testing! The assumption is that security is “just happening” as a matter of course, when it really isn’t. This mistake is now being spotlighted as the FDA has really ramped up the premarket approval process in regard to cybersecurity.
MDMs can now expect many cybersecurity questions in response to their premarket submission, and if this is the first time they have thought about security, their new medical device is going to be months or years late to the market. There are many classes of embedded device vulnerabilities where the solution simply can’t be “bolted on” at the last minute.
If you think cybersecurity ignorance can’t harm your business, take a good hard look at the stock prices of SolarWinds and think about what the future holds for that company!
The human preference to avoid facing a new problem is ever-present. This is the reason we are always “fighting the last war,” not thinking ahead to the future war and how battles will be won or lost then. CISOs have their faces shoved into reality on a daily basis – we have gotten to the point where we are almost numb to new exploits and their consequences.
From my perspective the Board exists to advance and protect the interests of the company, and if they are not seeking the difficult answers from their CISO, or not willing to hear such answers, then they are the ones at fault when the inevitable happens (although most likely the CISO and the stockholders will be the ones paying the price).
Within executive leadership, there is inherent tension between the CISO and CIO roles. Cybersecurity is a fast-changing environment, and CISOs are doing everything they can to just keep up with the latest threats and mitigations. A CIO’s job is to slow down the pace of change, because modifications can impact operations in a bad or unfunded way.
When changes must occur, CIOs are looking primarily for the cheapest way to implement them, not the most secure way. But these conflicting interests can be reconciled by the Board’s desire to reduce risks and increase profits… if only they are aware of the potential negatives and positives of being proactive about cybersecurity.
Because it’s not all negative. So many companies have taken the “head-in-the-sand” approach to cybersecurity for so long, it has now become a market differentiator. Prevention is now profitable. Implement a secure development lifecycle, share the results and output of such a process with potential customers, and you capture market share from future failed companies. The world we live in today is straightforward: either secure your products or face corporate ruin.
One way or the other, everyone pays for security. But the “school of hard knocks” path is a lot more expensive – often catastrophically more – than investing in prevention.