Regulatory focus on fining providers is misplaced, according to a device security expert.
The attack surface of healthcare in the cybersecurity realm is forecast to explode in size in the next few years, in large part due to the proliferation of internet-attached medical devices.
The Global Internet of Medical Things market is expected to grow at a compound annual growth rate of 18.5% from 2021 to 2027 to reach $284.5 billion by 2027, according to UnivDatos Market Insights. A rise in connected medical devices and the emergence of new technologies is resulting in the growth of the market.
MedCrypt is a San Diego-based company that provides proactive security for healthcare technology. MedCrypt's platform brings core cybersecurity features to medical devices with a few lines of code, to ensure devices are secure by design. MedCrypt announced a $5.3 million Series A funding round in May of 2019, bringing the total funds raised to $9.4 million with participation from Eniac Ventures, Section 32, Y Combinator, and others.
Recently, Seth Carmody, PhD, vice president of regulatory strategy at MedCrypt, answered questions from HealthLeaders about the connected medical device security threat.
HealthLeaders: Carrots and sticks seem to be the only tools the government possesses to improve digital security in healthcare. Is there a third way?
Seth Carmody: There have been a few attempts to incentivize security, but the incentive is fine-based and focuses, not on security debt relief, but on the management of the risk that security debt brings. Governments and regulators need to continue to provide sticks and carrots like the IoT Cybersecurity Improvement Act of 2020 and FDA (U.S. Food & Drug Administration). The FDA’s Postmarket Cybersecurity Guidance (December 2016) incentivizes medical device vendors to participate in cyber-risk information sharing through a variety of ways, such as through Medical Device Information Sharing Analysis Organizations (ISAOs).
These types of incentives will drive healthcare to build technology securely, but because their domain is healthcare, efforts will be expensive and may fall short. Therefore, it’s necessary for the tech sector to lead a “shift left” movement and provide seamless, secure by design, out-of-the-box technology that healthcare can use to build their innovative healthcare products.
HL: So much of what healthcare faces in this cybersecurity crisis is a crisis of education. Many breaches seem to be traceable to social engineering. What interesting or novel efforts exist to improve the education effort?
Carmody: Security is a harsh discipline and not kind to amateurs. If I’m a financial analyst at some firm and I work with spreadsheets all day, and my organization’s security posture depends on me to also be a security analyst and not open potentially malicious spreadsheets, then it’s game over. Are we surprised with the results of trying to make everyone a security expert? Education can only go so far. Security can’t be hard for people just trying to get their own job done.
HL: As the internet of things proliferates, economic forces that prevent medical devices from being secure by design are going to be a bigger and bigger problem. What carrots or sticks can be brought to bear on medical device manufacturers to assure security despite those economic forces?
Carmody: We need a healthcare supply chain, shift left strategy, where lawmakers and regulators require [that] healthcare technology vendors' technology must be secure by design. We need the upstream tech supply chain to supply technology to those vendors that is secure by design and can be integrated securely and easily. We need arbiters of security that can assess, at scale, the adequacy of security that removes the burden from the consumers (hospitals, clinicians, and patients). Lastly, when things go wrong, we should notice, and liability should be shared by the producers of the technology, not just the consumers of technology.
HL: Are the breach reporting systems defined by HIPAA up to the mission? As HIPAA continues to evolve, are there things you would do to fix those systems?
Carmody: HIPAA largely punishes the consumer of healthcare technology debt, where problems manifest, not the producer who controls the amount of security debt in products they make. Therefore, HIPAA exerts limited upstream economic pressure on healthcare tech vendors who optimize to satisfy the letter of the law such as encrypting only Protected Health Information (PHI) data versus command data.
The HIPAA Security Rule has been in effect for over 14 years, but a 2019 study from CynergisTek reports the healthcare industry has only managed to achieve 72% compliance with it, which may seem like a good score, but one that doesn’t measure risk or actual security. Data show that breaches are increasing. In other words, we’re not any better at security.
HL: What lessons have you learned from the COVID-19 pandemic about what's working, what isn't, and how the health tech industry is rising to the challenge, with so many more lives on the line?
Carmody: At a time when healthcare is critically focused on pandemic response is also the time that they are the most vulnerable to threats. Hospitals, which operate on thin margins, cut IT staff to stay afloat while revenues dropped, but still needed to deliver care to COVID patients. Data show that adversaries took advantage.
The healthcare industry has made tremendous progress and that must be acknowledged. The issuance of multiple guidance documents from international regulatory bodies and industry leaders, and the voluntary engagement by device vendors and security researchers at the DEF CON BioHacking Village, are signs that times are changing. However, the tension between healthcare and security is rooted in the fact that healthcare’s first job is to deliver healthcare. Therefore, technologies built to serve healthcare are built primarily to deliver on healthcare features, not security features, like monitoring, that would help connect security events with patient outcomes. As a result, the healthcare industry accrues security debt, yet paradoxically, healthcare must also deliver healthcare securely because any lack of security threatens the ability of the healthcare ecosystem to function. This tension must be resolved for any additional progress to occur.
“Are we surprised with the results of trying to make everyone a security expert? Education can only go so far.”
Seth Carmody, PhD, MedCrypt vice president of regulatory strategy
Scott Mace is a contributing writer for HealthLeaders.
Efforts to secure internet-connected medical devices are expensive and may still fall short.
Healthcare knowledge workers cannot be expected to become security experts.
Economic pressure on healthcare tech vendors demands upstream security in the tech supply chain.