On October 28, the Washington, D.C.-based eHealth Initiative & Foundation (eHI) and the McLean, Va.-based Booz Allen Hamilton consulting firm, released a joint report, “Securing Connected Medical Devices” to help industry stakeholders address the challenges associated with cyber security of connected medical devices. As the two organizations stated in a press release, “The medical device ecosystem is at a critical moment where strong leadership across industry, government, and the public is needed to prepare for a secure connected future. This document helps set the stage for the discussion.
“All connected medical devices are vulnerable to cyberattacks. When cybersecurity risks are not mitigated, clinical efficacy and patient safety are negatively impacted, and companies are left financially vulnerable,” said Jennifer Covich Bordenick, CEO of eHealth Initiative, in a statement contained in the press release. “Each step in a device’s lifecycle poses a potential threat and cybersecurity must be addressed throughout the course of a medical device’s lifetime. All healthcare stakeholders need to be vigilant about making cybersecurity a core component of patient safety discussions and dedicated to working together to ensure safety.”
Included in the report is an important discussion about key challenges, such as evergreen vulnerabilities afflicting connected medical devices, the importance of a “threat-centric” mindset to combat an increasingly complex threat landscape, as well as the need to evolve past a “one size fits all” approach to security.
“While connected medical devices promise novel diagnosis, treatment, and convenience, they are also a valuable target to cyber criminals and hackers,” said Kelly Rozumalski, a Booz Allen Principal and Leader in the firm’s cybersecurity business, in the press release. And Shannon Lantzy, a Senior Associate at Booz Allen and a Leader in the firm’s Regulatory Science Innovation practice, added, “Securing connected health is critical to continuing medical product innovation in U.S. healthcare.”
As the press release noted, “Earlier this year, eHI convened a roundtable of healthcare executives for a multi-disciplinary discussion on the challenges and potential solutions for cyber readiness of medical devices. The discussion covered factors to consider for a connected device future as well as the value of healthcare stakeholder communication and collaboration around device cyber security, creating the framework for this paper.”
“Responsibility for secure connected health lies with every player in the market, from manufacturers and regulators to healthcare delivery organizations, patients, and providers,” said Steve Kastin, a Booz Allen Senior Executive Advisor in the firm’s health business, in the press release. “The growing connectedness of devices adds exponential value to medical devices, but with this opportunity comes the important responsibility to strengthen protections against malicious cyber actors.”
Among other points, the report notes that “The connected health ecosystem faces unique threats and risks. The medical device lifecycle is the sequence of activities needed to move a medical device from an idea (i.e., conceptualization) to end of life (i.e., disposal)—potentially years or decades later. This lifecycle has proven successful in addressing the paramount concerns of efficacy and safety when bringing unconnected medical products to market. Connected medical devices bring new challenges.”
The report notes that medical device manufacturers “are increasingly becoming information technology (IT) partners, who have a new and direct role in the post-market phase (e.g., to sustain the systems that connected medical devices rely on to operate). Health Delivery Organizations (HDO) face new roles too, as they learn to mitigate risks within connected health devices that rely on third party, off-premise technology to work properly.” It also notes that “Connected medical device vulnerabilities never ‘expire’”; that “A threat-centric mindset is needed to secure the connected health ecosystem”; and that “Connected medical devices face diverse risks, with no ‘one size fits all’ solution.”