true
Literature

Cybersecurity and patient safety

BD Institute for Medication Management Excellence

enterprise-solutions_R_LS_LYON3818.png

Cybersecurity and patient safety: Developing a culture of transparency among healthcare industry stakeholders  

PUBLISHED: Apr 29, 2019

By Rob Suárez, Director of Product Security, BD

In the security industry, we often hear about “security by design”—products designed and built to withstand cyber-attacks, but when a healthcare company deploys a new technology to a customer site, new types of risk are often introduced and every hospital has a unique environment.1,2

Cybersecurity adversaries—hackers and others who attempt to breach systems—share information every single day, freely and openly on the internet.3,4 Whether for profit, politics, or simple pleasure, members of that community have established ways to help each other exploit software and technology to their benefit. These same exploits can sometimes impact medical technology and patient safety.5

While it may seem counterintuitive, as the defenders of technology and healthcare, our community needs to adopt a similar culture of information sharing and make it open, free and transparent. In a coordinated and responsible way, companies can better match the pace at which new cybersecurity threats are emerging. Based on my experience, companies should strive to think beyond “security by design” by also focusing on “security in use”—how to secure products within the context of how they are used by customers, as well as “security through partnership”—how to collaborate with customers, healthcare providers, patients, security researchers and others. Toward the goal of “security through partnership,” companies may routinely issue voluntary coordinated security disclosures, in order to share information with customers about potential vulnerabilities they identify or are made aware of, and how customers can protect themselves and their patients.6 In the same vein, it’s critical to be part of the community working to improve cybersecurity practices industry wide, and take an active role in the Healthcare and Public Health Sector Coordinating Council (HSCC) to establish best practices for the industry to adopt.6

HSCC Joint Cybersecurity Working Group

Established in 2018, the Healthcare and Public Health Sector Coordinating Council (HSCC) is an industry-driven, public-private partnership of healthcare companies and providers that develops collaborative solutions to threats to the US healthcare infrastructure.7 As one of 16 critical infrastructure sectors organized to partner with the government under Presidential Policy Directive 21 (PPD 21), this working group serves as the “big table” for healthcare industry associations and their members and represents a significant opportunity to foster the much-needed culture of information-sharing around cybersecurity.

Since its inception, the working group has grown quickly, from 60 to 215 voting organizational members, providing stakeholder groups with an unprecedented opportunity to come together to make a commitment to cybersecurity in healthcare, and put a plan in motion to achieve a level of transparency that has the potential to improve patient safety.

BD hosted over 100 members of the working group in San Diego, California April 3-4, 2019, to share best practices among stakeholder groups. Diverse participation from a wide range of stakeholders including policymakers, healthcare providers, vendors, medical technology and healthcare IT companies, direct patient care entities, plans and payers, laboratories, and security researchers, helped create a spirit of communitywide collaboration.

A plan to achieve transparency

Toward the goal of promoting transparency, the HSCC published the Joint Security Plan (JSP) in January 2019. Developed by a task group co-chaired by the FDA, the Mayo Clinic and BD, the JSP pulls together many industry standards and sets into motion a plan to improve cybersecurity for medical technology with commitment from organizations that adopt it. It provides objectives, dates, milestones, criteria for assessing maturity against those milestones, and a way to coordinate efforts to put the plan into action utilizing “security by design” principles throughout the medical device or health IT lifecycle.

With the publication of the JSP, the HSCC working group has provided a single document with the components to adopt new practices, update those practices over time, and share them with customers. The plan illustrates the shared responsibility between industry stakeholders to harmonize security related standards, risk assessment methodologies and vulnerability reporting requirements to improve information sharing between medical technology companies and healthcare provider organizations. When implemented, it represents a commitment by a medical technology company to achieve the goals of secure by design, secure in use and secure through partnership. BD is proud to have adopted the JSP and we are working towards improving our maturity across all of the practices outlined.

As a participant alongside many other medical technology companies in the effort to develop the JSP, I shared BD’s efforts to understand the way our customers interact with our products in a clinical environment and integrate security controls that address the unique types of risk that come with patient interaction. As a member of the HSCC, we’ve committed to partnering with healthcare providers, policymakers and federal agencies to communicate vulnerabilities in our products as well as the means to mitigate or potentially resolve them. In this way, hospitals and healthcare systems can be empowered with information that has the potential to protect them and their patients.

Cybersecurity is a patient safety issue

Viewed separately, medical devices that deliver care to patients often have clinical risks, while software designed for use in hospitals have cybersecurity risks. Bring the two together and patients are potentially exposed to clinical risk as a result of cybersecurity risk. Today’s medical devices are not only hardware—they’re systems that employ sophisticated software, sit on the hospital’s network and communicate with the EMR or other systems.

Like the human body, technology ages over time. Instead of developing disease, however, technologies develop vulnerabilities. Since all technologies experience aging, medical technology companies shouldn’t wait for a security breach to disclose the vulnerabilities they discover. Vulnerabilities should be disclosed and evaluated as soon as they’re discovered, so that risk mitigation strategies can be employed.

Learn more

Each month on the BD Institute for Medication Management Excellence blog, thought leaders explore topics of critical importance to medication management, and provide additional ways to learn.

Now that you've read this article, deepen your understanding of key barriers to medical device security, the FDA’s changing guidelines and “unpatchable” medical devices. Then, go further by learning about next generation interoperability, which will require vigorous cybersecurity standards.

References

  1. How Evolving Healthcare Cybersecurity Threats Affect Providers. HealthITSecurity. https://healthitsecurity.com/features/how-evolving-healthcare-cybersecurity-threats-affect-providers. Published 2019. Accessed April 25, 2019.
  2. Adibuzzaman M, DeLaurentis P, Hill J, Bennyworth B. Big data in healthcare - the promises, challenges and opportunities from a research perspective: A case study with a model database. AMIA Annual Symposium Proceedings. 2017:384-392.
  3. Whittaker Z. Marriott says 500 million Starwood guest records stolen in massive data breach – TechCrunch. TechCrunch. https://techcrunch.com/2018/11/30/starwood-hotels-says-500-million-guest-records-stolen-in-massive-data-breach/. Published 2019. Accessed April 25, 2019.
  4. Loughran J. 773 million stolen email addresses leaked online in huge data breach. Eandt.theiet.org. https://eandt.theiet.org/content/articles/2019/01/773m-stolen-email-addresses-leaked-in-huge-data-breach/. Published 2019. Accessed April 25, 2019.
  5. Largest Healthcare Data Breaches of 2018. HIPAA Journal. https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2018/. Published 2019. Accessed April 25, 2019.
  6. Medical Device and Health IT Joint Security Plan. Healthcare & Public Health Sector Coordinating Council; 2019.
  7. Introduction – Health Sector Council. Healthsectorcouncil.org. https://healthsectorcouncil.org/health-sector-council-cyber-working-group-introduction-2/. Published 2019. Accessed April 25, 2019.
true