Those that have been around healthcare security circles know that the term connected medical device or IoMT (Internet of Medical Things) elicits a collective sigh of anxiety. Last week, the FDA announced its first appointed acting director of medical device cybersecurity. University of Michigan computer science researcher Kevin Fu was hired in this newly created post to help realize the vision of FDA’s strategic initiatives related to bringing together the best of industry alliances, thereby starting to address the security issues that exist with connected medical devices and help improve any potential clinical & safety impact.
The term “it takes a village…” is perfectly emblematic at this time as we have a situation where there are isolated pockets of valuable effort being introduced to generate everything from risk frameworks to security intelligence sharing & standards to crowdsourcing how healthcare delivery organizations (HDOs) better operationalize managing these complex security architectures. While the output of all this work has yielded an impressive raw data baseline, we are now at a tipping point where we need to formalize these efforts and address the nuances of impact to IT/Clinical operational workflows and cost regardless of where the organizational responsibility resides – Healthcare Delivery or Medical Device Manufacturer.
Industry working groups such as HSCC Joint Cyber Security Workgroup in the United States of America, Medical Device Coordination Group in the European Union, and Medical device security groups belonging to members of Asia-Pacific Economic Cooperation (APEC) have for the better part of the past decades worked to create the initial approach to address the challenges that have been in the way of establishing a baseline for what connected medical device security in this area should look like. This is where private industry collaboration comes in, whether it’s in the form of solutions or services to help reduce the technical burden needed by the practitioners in the healthcare space.
Innovation in the last 5 years has led to advancement in technologies that can do identification, vulnerability management, resource utilization and a nascent approach to behavior mapping of the integrated medical device ecosystem. This is where, the role of agencies like FDA and their counterparts across the globe is critical, as they can help facilitate the areas where cohesion is needed not only from a collaboration and partnership perspective, but they can also help provide the necessary access to pathways for funding the actual work that needs to occur once we have an acceptable scope definition for the issues in question.
As a professor of electrical engineering and computer science at the University of Michigan and the founder and chief scientist of the Archimedes Center for Medical Device Security (amongst other accolades), Kevin Fu has a unique skill set for a unique and much needed role. While only a twelve month post, Fu will lead the FDA’s ongoing efforts to ensure the safety and effectiveness of medical devices, including pacemakers, insulin pumps, hospital imaging machines, and other electronic devices all of which are being connected to healthcare organization networks.
It is evident that utilization of integrated clinical applications and their associated connected devices has skyrocketed in the past decade, leading to innovative approaches and safer clinical outcomes for treatments. This reliance on digital workflows has created an urgent need to address not only the confidentiality & availability of data, but also its integrity, which underpins a big part of the clinical decision support process, let alone adding supply chain integrity and security concerns. These security and operations issues affect healthcare organizations everyday, and are the new reality where we see attacks not only affecting the data, but also the care a patient receives.
As a former Healthcare CISO, I am excited to see this role formalized. Challenges I and other medical security professionals continue to encounter are rooted in creating a narrative that allows the mapping of risk as it pertains to a patient’s journey for their visit to the hospital or doctor’s office and beyond. That means not only looking at the connected clinical devices, but charting what ancillary systems are part of the care delivery process. This also manifests itself as alert fatigue within the security operations teams, as they adjust to working with new types of connected medical devices and responding to an order of magnitude increase in attack surface.
Working with device manufacturers can sometimes be an opaque process depending on the clinical engineering or biomed/facility operations workflows. This is where formalization of frameworks from FDA and others can help in defining the appropriate scope for implementing and operationalizing the medical device security strategy & making sure that it aligns with the broader IT security strategy.
As mentioned earlier, industry alliances are key here. It will take an honest introspective effort between private industry, device manufactures and the health systems to address the funding question. There is a real operational budget and revenue impact for organizations that have to take the output of the industry working groups and figure out what that means for them. For example, It could mean significant roadmap impact to product divisions within a medical device software company. It could mean adjusting manufacturing contracts and SLA’s (most of the time internationally) if these recommendations for security impact the logistics framework. It could also manifest as a workforce and human factors impact on operational security workflows.
These examples are meant to illustrate that while we have made significant progress in conceptualizing what and how to solve, we are still shy in generating the funding to pay for these efforts in a meaningful way that can scale the innovation for newer technology – and still help figure out what to do with the 30 year debt that exists with legacy devices still utilized in the field.
The time is now for us to take that next step and utilize the innovations that the frameworks and innovations in security technologies provide to bridge the gap and provide much needed context for “information security decision support” that help keep our care delivery processes safe. I hope there are more appointments like these across the industry with people that have a balance between understanding the nuances of bringing together academic research with boots on the ground experience along with the assumption that these devices span the globe, and international cooperation can be used as force multiplier in helping address the security challenges that will keep evolving in the days to come.
We at Armis look forward to working with Kevin Fu and his team to chart the future of connected medical device security, such that HDOs can realize the benefits, efficiencies, and productivity of these technologies without fear of compromise by cyber attack.
If you’d like to see a demo of how Armis helps HDOs secure the devices doctors and clinicians use to deliver faster, higher quality care without compromising the safety of patient’s health, safety, or sensitive medical information, please click here.
Sign up to receive the latest news