With the growth of digital health, healthcare innovation, telehealth solutions, and remote monitoring capabilities, care delivery has increasingly become more technology and internet driven.
However, with this transition to cloud and internet based applications, the risk for cyber attacks and security breaches has also significantly increased, rendering the entire healthcare system incredibly vulnerable.
Recognizing this growing concern, late last month, the Food and Drug Administration (FDA) issued a detailed note providing the guidelines for security measures, specfiically for medical devices. The note explains: “A person who submits an application or submission […] for a device that meets the definition of a cyber device under this section shall…: 1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, post market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures; 2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure…”
As the wireless and remote monitoring device market has grown significantly in the last decade, regulators are especially concerned that these devices, which often use wireless communications, are particularly susceptible to cyber attacks.
A few years ago, a famous incident got publicized where cybersecurity professionals were able to insert malware directly into a wireless pacemaker. Though this was for demonstration purposes only, the concept was nonetheless shocking: a relatively simple effort gave hackers the ability to control the pacemaker remotely. Indeed, this is an incredibly frightening proposition for millions of people worldwide that depend on devices such as these. For many decades, cybersecurity was always thought of as dangerous for the loss of data or privacy; however, now, with life saving devices increasingly becoming connected through the internet, breaches pose actual risk to life and patient outcomes.
Through a broader lens, the healthcare industry has a significant amount of work yet to be done in strengthening its cybersecurity defenses. A report published last week in collaboration with Censinet, KLAS, and the American Hospital Association (AHA) indicated that “healthcare organizations are still mostly reactive rather than proactive when it comes to cybersecurity, especially when it comes to identifying cybersecurity risks…organizations have particularly low coverage in Supply Chain Risk Management, Asset Management, and Risk Management. More than 40% of organizations are not compliant with conducting response and recovery planning with suppliers and third-party providers.”
Therein lies a key problem: organizations continue to be reactive rather than proactive. That is, organizations tend to respond to cybersecurity threats and issues rather than plan for them before they occur. This lack of investment in the right infrastructure and safeguards poses a huge risk for healthcare infrastructure generally, as hospitals are just one cyberattack away from becoming incapacitated.
For many cities that have more than one trauma center or large academic institution in the vicinity, there may be options for patients to receive care at other locations. However, for other communities that have a lack of access to reliable healthcare, a cybersecurity breach causing a hospital to shutdown could lead to devastating consequences.
Indeed, the healthcare system’s increasing incorporation of technology has undoubtedly provided many benefits in efficiency, advanced diagnostics capabilities, and novel ways to collect and interpret data. However, this advancement also brings with it a paramount responsibility: to protect and safeguard the patients which are being served.