In the security industry, we often hear about “security by design”—products designed and built to withstand cyber-attacks, but when a healthcare company deploys a new technology to a customer site, new types of risk are often introduced and every hospital has a unique environment.1,2
Cybersecurity adversaries—hackers and others who attempt to breach systems—share information every single day, freely and openly on the internet.3,4 Whether for profit, politics, or simple pleasure, members of that community have established ways to help each other exploit software and technology to their benefit. These same exploits can sometimes impact medical technology and patient safety.5
While it may seem counterintuitive, as the defenders of technology and healthcare, our community needs to adopt a similar culture of information sharing and make it open, free and transparent. In a coordinated and responsible way, companies can better match the pace at which new cybersecurity threats are emerging. Based on my experience, companies should strive to think beyond “security by design” by also focusing on “security in use”—how to secure products within the context of how they are used by customers, as well as “security through partnership”—how to collaborate with customers, healthcare providers, patients, security researchers and others. Toward the goal of “security through partnership,” companies may routinely issue voluntary coordinated security disclosures, in order to share information with customers about potential vulnerabilities they identify or are made aware of, and how customers can protect themselves and their patients.6 In the same vein, it’s critical to be part of the community working to improve cybersecurity practices industry wide, and take an active role in the Healthcare and Public Health Sector Coordinating Council (HSCC) to establish best practices for the industry to adopt.6