Consumers of any solution expect the solution to function reliably as intended without any unanticipated consequences. The “reliability” and “avoidance of unanticipated consequence” aspects often become an afterthought especially when organizations embark on new innovations and start with a Minimal Viable Product (MVP). Once the basic functional requirements are accepted by consumers, these organizations are pressured to launch these solutions into the market. In digital solutions involving Internet of Things (IoT), the reliability and sources of unanticipated consequences mostly stem from suboptimal attention from the get-go to configuration management, interoperability, and cybersecurity. A recent McKinsey study identifies these three elements as the top impediments to IoT adoptions, as shown in the figure below.
Poor cybersecurity can lead not only to unplanned outages but also to data privacy and safety issues in a MedTech or Internet of Medical Things (IoMT) environment. Consequently, regulatory bodies have also become increasingly active in governing such risks.
Impact:
MedTech leaders often wonder if medical devices have actually been breached. There have been many cybersecurity-related recalls for medical devices through the years that involve critical patient devices such as pacemakers and insulin pump systems. Here are a few additional examples of how things can go wrong.
Care disruptions:
A radiation therapy, radiosurgery, related equipment, and clinical management solution company that provides cloud-based software was hit by a cyber-attack that caused a disruption in services for nearly 170 hospitals and healthcare systems nationwide. The system service provider still worked on the first-generation cloud-based storage system, which eventually led to the security compromise.
In a separate instance, a radiology equipment company was breached because it was running on a dated version of Windows and caused healthcare delivery disruptions.
A healthcare communications product company’s Dictaphone system was infected by NotPetya; the virus spread within a health system, caused x-ray and lab equipment to shut down by taking advantage of a flaw in the Windows implementation of the SMB protocol, and led to patient diversions.
Lab equipment that controlled pumps and pressures at a large university research center was breached. These machines were used to purify and prepare biochemical samples such as proteins.
Data privacy compromises:
One of the largest medical device companies in the world developed an app that manages insulin levels in diabetic patients through a smart insulin pen connected via Bluetooth. The app used Google’s back-end services (i.e., Firebase) for user login. The behavior analytics code incorporated in the services passed PHI to Google.
A pharmacy and medication management solutions provider faced a ransomware incident in which its products/services, internal IT systems and 3rd party cloud services were impacted. The incident affected over 100,000 patients with the potential leak of PHI.
A consumer-facing telehealth platform providing mental and behavioral health services for patients used pixel tracking technologies. PHI data was transmitted to 3rd parties without patient consent, including online self-assessment responses along with other clinical information.
Each of the companies above had at least some form of a cybersecurity program in place. The above sample of incidents indicate that companies may find value in reevaluating scopes and the maturity of their programs.
Regulations:
A set of regulations have come into existence to establish a minimum standard of care regarding cybersecurity for MedTech / Connectable Medical Device / Software as a Medical Device (SaMD) companies. These regulations include requirements that cover the entire lifecycle (i.e., pre-market, post-market, and end-of-life). Examples include:
USA: Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act.
EU: 2017/745
Singapore: Cybersecurity Labelling Scheme (CLS)
China: Provisions on the Management of Network Product Security Vulnerabilities
Status:
Companies have various degrees of efforts underway regarding product/solution cybersecurity. Some have not even started on the journey. The most advanced ones have done reasonably well in the post-market area (i.e., PSIRT - Product Security Incident Response Team). Opportunities still exist in the pre-market area for most of the companies. The scope of activities that an organization needs to mature is broad and requires coordination among product security, engineering, product management, field engineering, and legal/compliance teams; and so, some level of change management and engagement from the top leadership team is usually required.
MediTechSafe recently led a research effort to understand where organizations are in their Product Cybersecurity journey vis-à-vis regulations. If you have interest in learning about the outcome to benchmark yourself, feel free to contact us.
MediTechSafe offers a SaaS platform that can help improve program maturity, reduce burden on security/engineering teams, and deliver cost productivity. A service element of the solution can help organizations that are at the earlier stages in the journey. If there is an interest in learning more, reach out to us at info@meditechsafe.com.