Cybersecurity challenges are turning natural competitors into willing collaborators as companies try to ward off the shared threat of attack.
By Michael Border
“Oops, your important files are encrypted,” a May 2017 pop-up advised on the screens of an estimated 200,000 computers worldwide.
The culprit was WannaCry, a cryptoworm that attacked computers running the Windows operating system. It demanded ransoms to be paid in Bitcoin, a digital currency that leaves no incriminating paper trail. Cybersecurity experts discourage making payments to hostage-takers, warning that it encourages future hacks and provides no guarantee that files will be restored. Either way, the damage was done. The game-changing attack paralyzed hospitals in Britain’s National Health System. Patient files and daily schedules were simply unavailable – there was no record of patient appointments and no access to treatment files. In demonstrating the extent to which healthcare is reliant on digital resources, the cyber assault sent shockwaves through healthcare worldwide.
Today, that attack and others like it have led to an interesting development in the healthcare industry. A common interest in patient well-being is bringing together natural competitors – giant medical device manufacturers – to declare a truce and share measures that counter cyber threats and ensure patient safety. On the issue of security, they are not looking for competitive advantages but rather promoting transparency and collaboration to protect the health of patients and the Medtech sector as a whole.
Moving to Collaboration
Ken Hoyme, director of product and engineering systems security at Boston Scientific, is a vocal advocate of transparency among medical device manufacturers. An award-winning engineer with a 33- year career in safety and security-critical, regulated industries, Mr. Hoyme now heads up Boston Scientific’s global product design safety mission.
Until recently, Hoyme said, healthcare cybersecurity’s focus was safeguarding patient information in concert with HIPAA regulations. WannaCry abruptly re-directed the sector to evaluate potential denial-of-service attacks on medical devices and related challenges.
“In Britain the attack became a hospital-level concern,” he said, jolting healthcare stakeholders worldwide.
Mr. Hoyme recently served as chair for the first of three half-day workshops set for 2018 devised to foster a conversation among medical device manufacturers, health delivery organizations (HDOs) and industry regulators (the second session is July 26). Participants at the session included security leaders from enterprises including Medtronic, Adventium Labs, Boston Scientific, Mayo Clinic, Fairview Health Services, Deloitte and Siemens. Candid discussions covered concerns, safeguards and evolving security practices.
It’s just one example of a collaborative tone among rivals that at times nudges competition aside.
Twin Cities’ Medtech Leaders Mobilize to Protect Patients
Minnesota holds an outsized stake in the medical device innovation and manufacturing sector.
“The entire state of Minnesota is the most densely clustered concentration of health care and health innovation companies in the world,” said Frank Jaskulke, association vice president of intelligence at the Medical Alley Association, a trade group that represents health technology and care organizations.
He noted that Minnesota is home to Mayo Clinic, ranked top hospital nationwide by US News & World Report; UnitedHealth Group, the world’s largest medical insurance company; as well as Medtronic, the largest medical device company in the world.
Consequently, the unprecedented hack of Britain’s health care system galvanized Twin Cities’ medical device manufacturers into action.
A notable change occurred in hospital purchasing process. Always rigorous, the procedures now are many times more complex for medical devices, both for prospective buyers and vendors. Purchasing specialists now demand more deeply detailed component data than ever before.
Keith Whitby, a speaker at the first Healthcare & Med Device Cyber Security session chaired by Mr. Hoyme, oversees every medical device employed by Mayo Clinic in each location across the country. Mr. Whitby said healthcare pre-purchase reviews now require detailed examinations of devices, which often are made up of standalone sub-components produced by a variety of vendors. Diversity of sub-component sources drives review complexity.
Reviews now probe deeply into the origin and make-up of every sub-component and bit of software employed in any device, Mr. Whitby said. The process, called BOM vetting (bill of material), accounts for all items used in all types of medical apparatus, from diagnostics and treatment devices, to those implanted in patients. Vendors are required to submit logs of software platforms and applied security patches. Medical devices must be tested in off-line isolation before being integrated into mainstream systems.
“When you’re in a hospital and you’re responsible for security of devices, you want to know what’s in the devices,” Mr. Hoyme explained. “If we have good starting knowledge of devices and what’s in them, we can estimate what devices may be affected (by external events).”
The makeup of the medical device industry introduces a fundamental cybersecurity challenge. Innovations often are driven by small, tightly focused start-ups. Many entrepreneurs working on new frontiers in medicine concentrate constrained assets on R&D. Often they’re not sufficiently capitalized to field robust security.
Additionally, the medical device industry operates on thin profit margins, Mr. Hoyme said. There’s a bias to keep devices in service for as long as there’s a useful life. Given these economics, device aggregator strategy favors use “off-the-shelf” software and components to keep prices low. This invites native liabilities that those concerned with cyber security, like Mr. Hoyme, work to forestall.
The purchasing process itself adds another wrinkle. Purchasers who determine which devices to buy are not the same people who perform long-term maintenance; and, the people who maintain equipment do not have input into the purchase decisions. This gap produces “an economic feedback cycle,” showing that devices that are more costly to purchase may have a longer life cycle. Conversely, the cost to maintain units that are more cheaply designed is higher over time.
“The dust hasn’t settled yet in this industry,” Mr. Hoyme noted. For example, older implants were designed as closed systems, offering no means for operating system updates. Newer classes of devices are structured for periodic updates and performance enhancements, and this category is getting special attention because these devices require cyber protection.
Device End-of-Life Issues
Yet another issue, software used in design that reaches its end-of-life stage, can occur while a device is still in use. For example, if a patient expects five years of service from an implant device, why consider using a device running on a software platform for which manufacturer support is ending in three years? Windows 7 is a commonly cited example since Microsoft has set 2020 as the end-of-support for that software.
Though it might be tempting to require vendors to extend the duration of support for their products, when the components and software used in implantable devices “get long in the tooth,” obsolescence naturally enters, Mr. Hoyme said.
Technology advances, producing smaller, faster components, and software languages evolve. At some point, old components are no longer available, and programmers versed in today’s software language may not have the skills to write in an outdated code. Thus, it makes no sense to coddle an old technology along when newer and better design options are available.
Prescriptive Subject Guidelines Avoid Off-Limits Topics
When rivals gather to collaborate, and especially industry giants, federal regulators go on high alert, vigilant to risks of potential price-fixing or restraint of trade. Both activities are illegal and carry severe penalties. Participants need to steer far clear of even the appearance of improprieties when rival business leaders meet. However, patient safety is among numerous legitimate reasons for rivals to collaborate.
Mr. Hoyme cited guidelines competitors follow to focus tightly on cyber issues and avoid forbidden topics. He named trade guidelines and “prescriptive procedures,” created by trade groups, which lay out valid topics rivals can adhere to in safely discussing sector strategies.
One such group is AdvaMed in Washington, D.C. AdvaMed is the largest trade association for the medical device industry in the U.S. Zach Rothstein, Associate Vice President of Technology and Regulatory Affairs, said the organization interacts with Congress and the FDA. As industry advocate, the association has established topical guidelines for competitors to safely share threat information and discuss cybersecurity issues without running afoul of federal trade laws. The guidelines are laid out in AdvaMed’s Foundational Cybersecurity Principles.
Likewise, regulators formulate guides addressed to industry players.
“The FDA issues guidance documents on what compliance should look like,” Rothstein said. The agency requires “a robust set of cybersecurity standards” – Quality System Regulations – which the agency has specifically to address the device sector.
Medical device manufacturers must gain approval from the FDA before any new products can enter the market. Standard tests, such as consideration of how devices perform in their use environment, are required of manufacturers.
To date, Rothstein said, the FDA hasn’t had to take enforcement actions because industry members have been proactive about compliance. Companies voluntarily have taken recalls when needed, in both pre- and post-market settings.
The FDA continues to refine its approach and Congress also is active in this space, he said.
“From a regulator and lawmaker perspective, everyone seems to be fairly comfortable,” Mr. Rothstein said.
Numerous other trade associations are engaging and interacting on cybersecurity issues, such as the Medical Imaging & Technology Alliance (MITA) and The Association for Advancement of Medical Instrumentation (AAMI). Each specialized association which represents a sub-group is developing standards specific to its sector.
Though the FDA first issued general draft guidance on cybersecurity in medical devices in 2011, the WannaCry attack broadened the discussion to include legacy devices such as MRIs and other large capital equipment assets with expected life cycles of 15 to 20 years. Regulatory complexity enters when such devices need programming updates because for any changes the review process must start anew. Software manufacturers can’t just send a patch when it would change the underlying operating system – the vendor must test and gain approval before introducing it.
Mr. Rothstein said cybersecurity is a shared responsibility … and everybody’s playing a role.
Patient Safety First – the Guiding Priority
Mr. Hoyme noted that a fundamental issue was debated and addressed in the Medtech sector: Should medical device manufacturers compete on the basis of cybersecurity?
Today, consensus has emerged for achieving baseline security standards throughout the sector to protect patient well-being.
Established medical device companies recognize the benefit of helping emerging innovators and start-ups embrace security since large manufacturers often acquire small companies. If the small companies have no security issues, it’s all the better for the large companies when they acquire them, Mr. Hoyme said.
In this climate of collaboration, competition centers on dimensions of performance functionality – but cybersecurity is a shared responsibility.
Michael Border is an accomplished freelance writer with an insightful perspective on cybersecurity and other issues regarding all the junctures where today’s technology touches our lives. His 30-year career began in news journalism and then quickly expanded to numerous other formats including work as a contributing writer for a national computer magazine, a blogger for a leading Twin Cities’ tech events organization, a ghost-writer for op-ed pieces and a professional speech writer. For project queries, please email email@example.com.