Jian Gong is a technology, cybersecurity, and data privacy leader with experience in various industries, ranging from Defense, Pharmaceuticals, Media, and Healthcare. He has architected and implemented cybersecurity and privacy programs for small businesses and global enterprises to help them sustainably and securely scale their technology infrastructure and processes. Jian is currently the Head of Cybersecurity and Technology Infrastructure for Better Therapeutics, a prescription digital therapeutics company focused on helping patients treat the underlying causes of cardiometabolic diseases like Type II Diabetes. He also volunteers as a mentor for several non-profit organizations, such as Cyversity, serves on the Board of Directors of the International Human Rights Art Movement (IHRAM), and is an active member of various professional organizations.
Cybersecurity threats against the healthcare industry continue to grow at alarming rates. From theft of sensitive health information to system outages that prolong patient stays, the impacts of these threats are felt by patients and healthcare providers alike. For manufacturers of medical devices and healthcare technologies, these threats represent both a growing challenge and a business opportunity to invest in security and drive meaningful change.
According to a 2022 report from the Ponemon Institute [1], ransomware attacks against hospital networks directly impact patient care and safety. 56% of survey respondents said internet-enabled device attacks resulted in longer patient length-of-stays, leading to higher costs, while 48% of respondents said these attacks resulted in theft of patient data, which may result in targeted scams and social engineering toward affected individuals. In some cases, impacted hospitals had been forced to divert patients to other nearby facilities. The bottom line? Increased costs in an already expensive market and erosion of patient trust and safety.
In a recent survey of patients conducted by the American Medical Association (AMA), over 92% of patients believe that privacy is a right and that their health data should be protected and kept private. [2] Patients are also least comfortable with big technology companies having access to and using their data, which could have long-term implications for the adoption of digital technologies in healthcare. At the same time, healthcare providers are demanding more secure medical devices before they procure them; a trend that will only increase with the use of connected medical devices across all stages of patient care.
With this in mind, healthcare organizations, medical device manufacturers and suppliers face both a challenge and an opportunity. How do we continue to embrace the use of technology in healthcare without compromising privacy, security, and patient safety?
The good news? The paradigm shift is underway.
The Food and Drug Administration (FDA) is among many organizations leading a paradigm shift in how we view and address cybersecurity in healthcare. The FDA recently released its final guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”, which outlines a key set of cybersecurity controls that medical devices must have to be considered for approval. [3]
The contents of the final guidance align with the draft guidance issued in 2022. Robust risk management, lifecycle vulnerability testing, and clear security requirements are among the many themes of the guidance. Coupled with the Refusal to Accept (RTA) policy issued by the Agency in March 2023, these standards help pave the way for more robust digital security and safety controls in the next generation of medical devices that range from blood glucose monitors to embedded devices and prescription digital therapeutics. Beyond these standards, there are many other actions that medical device manufacturers and suppliers can take.
Device hazard and safety analysis models must incorporate security risks
Patients and providers use medical devices across a range of environments often for years if not decades. Therefore, companies must invest in the digital security and safety of the device across its entire lifecycle. Robust risk assessments that evaluate the exploitability of certain weaknesses in the device against the impacts of data theft, outages, and patient harm form the foundation of this investment.
Medical devices must undergo these hazard analyses to account for all potential device hazards associated with the device’s intended use, and in some cases, its unintended uses as well. How does a blood infusion pump with network connectivity continue to function if the network is down? How does a healthcare app on a patient’s smartphone safeguard data if the phone is stolen? The key factors in the analyses are the impacts on patient safety. To effectively evaluate the impact of security risks on patients, companies must translate these security risks into patient risks to drive product and business decisions in a meaningful way.
Device security must consider the impact of interconnected systems in a complex ecosystem
The growing trend toward interconnected devices in a “smart” healthcare delivery system is real according to research published in the National Library of Medicine and other sources. [4] Think of “Internet of Things” (IoT) adapted to medical uses – also known as “Internet of Medical Things” (IoMT). There are many benefits of the IoMT evolution ranging from earlier diagnosis of diseases to more robust information sharing across previously siloed networks. However, from a digital security and safety standpoint, the move toward an interconnected network of healthcare devices presents a range of security and privacy challenges.
Medical device manufacturers and suppliers must consider how their device operates within this interconnected ecosystem, whether that ecosystem involves the complexities of a patient’s smartphone or a segmented hospital network with hundreds of other devices. How can ransomware propagating across a hospital network affect the ability of a device to provide life-saving functionality? How can a mobile app protect against unintended data theft when running on a patient’s smartphone? In reality, digital threats can arise from any source, so this more holistic view of device security is an important second step.
Public-private partnerships help raise the bar when it comes to security awareness and implementation
Finally, medical device manufacturers and suppliers now have a breadth of resources that they can draw on to improve their awareness and implementation of more robust security controls. These resources range from public-private partnerships led by organizations such as the “Medical Device Innovation Consortium” (MDIC) and the “Archimedes Center of Health Care and Medical Device Cybersecurity” to more mature third-party assessment models published by HITRUST.
These organizations help foster dialogue and information sharing between manufacturers, providers, and payers in a more open forum. They frequently publish resources that companies can use to re-evaluate their investments in device security in response to new digital threats, regulatory changes, and patient needs. The goal is to build a longer-term commitment to digital security and safety in the healthcare industry.
Embrace the paradigm shift in healthcare device security
The paradigm shift we see in healthcare will lead to more robust security controls in the devices and technologies that patients and providers use daily. It sets the foundation for increased awareness and growth in an industry where digital security can translate directly to patient safety.
The momentum is here. Medical device manufacturers and suppliers can seize it and put forward meaningful investments in the digital security of their devices and technologies. In doing so, they have the opportunity to improve patient trust in the use of life-saving technologies and aid the adoption of these technologies by providers and patients alike while differentiating their products in a crowded market by championing digital security as a business enabler.
References
[1] 2023. Censinet, Ponemon Institute. The Impact of Ransomware on Patient Safety and the Value of Cybersecurity Benchmarking. https://www.censinet.com/impact-of-ransomware-on-patient-safety-and-value-of-cybersecurity-benchmarking
[2] 2022. American Medical Association. Patient perspectives around data privacy. https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf
[3] FDA. 2023. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
[4] Dwivedi, R., Mehrotra, D., Chandra, S. 2022. Potential of Internet of Medical Things (IoMT) applications in building a smart healthcare system: A systematic review. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8664731/