As the health industry becomes more reliant on digital technology, the issue of cybersecurity becomes an essential business and ethics priority. When it comes to health technology, digital security means more than the safety of data – the very lives of patients could be at stake.
Recall the report in late 2013 when former Vice President Dick Cheney had the wireless functionality of his heart implant disabled due to fears it might be hacked. Though no hack was ever directed at the former Vice President then, such a threat is considered to be plausible.
The FDA recently recalled approximately 465,000 pacemakers that were vulnerable to hacking, but the situation points to an ongoing security problem.
The Threat
Yes, every aspect of digital health could be at risk, including wearable medical devices. Studies coming out of the United Kingdom and Belgium have shown that hackers can deliver fatal programs directly to implanted medical devices including defibrillators, insulin pumps and pacemakers. There have been cases of medical facilities in the United States closing because of malware interrupting the security of computers involved in cardiac surgeries.
Embedded devices are not known for having the best security. In previous generations, there was no reason for it, but there is definitely urgency in the current generation on two fronts. First of all, patients must be protected so that hackers do not have the ability to break into devices that support or sustain human life. Secondly, medical devices that are vulnerable can become an entry point to a larger network of monitors, sensors, medical records and other important notes of information.
Because of the urgency that medical emergencies demand, digital health cyber security is a much larger opportunity for hackers than perhaps any other industry. A ransomware attack on an embedded medical device could evolve into literally a ransom on a person’s life – of far greater urgency than the demands for Bitcoin that hackers impose on insurance and financial securities companies. The opportunities for extortion are exponentially greater now, a viewpoint that has been backed up by the highly reputable research company Trend Micro.
The aging population that we see using more medical technology to stay vital, healthy and alive is a growing industry that currently stands at around $400 billion. It is a market that is poised to expand at a rate of about 3% per year until 2022. After this, it has the ability to explode exponentially serving the needs of the Baby Boomer population as they move into their later years.
The majority of IT networks in hospitals remain far behind the security challenges that this growing industry presents. Many surveys show that cyber security budgets are being misappropriated towards cloud security and infrastructure in an unbalanced way. Adding fuel to the fire, government frameworks have done little to deter hackers from doing their worst. The emerging frameworks of regulators for the medical industry currently provide guidance only, not penalties for improperly directing security funds. Under this current system, it is a simple thing for medical IT professionals to overlook the risks that unprotected medical devices represent. This is especially true in an environment where an attack on a device has not happened yet.
There is also a potentially large problem of older medical devices being incompatible with new guidance. Medical device capital equipment such as MRI scanners do not experience a great deal of turnover in medical offices – the average age of a scanner in an American medical office is 11.4 years. Even if an office wanted to build a more robust medical device security infrastructure, it would mean a huge outlay of upfront funds. That office would have to upgrade its hardware as well as its security systems, a feat that might be beyond the reach of many smaller offices.
The Opportunity
Despite the challenges mentioned here, there is a huge opportunity within the medical industry in terms of digital health cybersecurity. For medtech companies, one such opportunity lies in the area of security as a strategic advantage. Making bullet proof the next generation of medical devices that are susceptible to hacking could prove to be a key differentiator.
The International Organization for Standardization came out with guidelines for disclosure of product vulnerabilities in 2014. This standard will be revised in 2019. It is essential that any maker of medical devices understands these new standards and uses them to their advantage in new product development.
Healthcare providers also have a chance to clean up their digital hygiene. Those who deliver health services should be trained to stay in compliance with security policies. This too opens the door to offering professional development training to ensure compliance and patient safety.
Executives and managers also now have a reason to enforce an office policy of leaving your home devices at home. Even a cell phone that taps into office Wi-Fi can become a back door for hackers to move into the wider digital space of a medical office.
Offices also have leveraged to focus on the security shortcomings of legacy devices. They may be able to apply pressure on suppliers and manufacturers to help bring devices up to code with a minimum of cost to the office. Many governmental agencies are beginning to require that offices follow guidance. Although this framework is far from complete, medical offices should band together now to put the pressure on vendors and suppliers to adhere to standards so that the cost of compliance does not fall completely on the shoulders of the offices.
Large hospital systems should reorganize their priorities when recruiting executive and management leadership. The new breed of leaders should have a working knowledge of medical IT infrastructure along with their core skill sets. Once hospitals take responsibility for their own digital safety in this way, the pressure will be on entity surrounding these seminal institutions, including vendors and governmental agencies, to shape up their production values and framework guidance, respectively.
For medtech boards and senior management interested in creating value by using information security as a strategic advantage will likely be required to find talent from outside the firm’s ranks. Hiring appropriate leadership, that understands the strategic implications of digital health cybersecurity as a critical component of future innovation will likely come about from the outside of the organization. This is due to the fact that it has not been the tradition of medical device makers to prioritize this as part of the senior executive skills package. This becomes particularly important as more medtech companies move toward “smart” medical devices.
Executives who can envision digital health cybersecurity as an opportunity for will bring unique value to the table.
As more medical device companies realize that cybersecurity can be leveraged as an opportunity to create value, differentiation and new revenue streams, recruiting leaders who can bring this expertise to the executive ranks will be more vital than ever.
JP Boyle & Associates helps digital health, medical device and health technology companies reach their goals and overcome challenges through executive search services.
