By Anita Finnegan, CEO, Nova Leah
September 14, 2020

What have we learned from the 2020 pandemic? We know that in an instant, life as we know it can be swiped away from under our feet. We’ve learned to stay at home and distance ourselves from everyone including friends and family. Many of us have learned how to work from home and do it effectively. We’ve leveraged digital platforms in place of the board room. We wave into a camera in place of a handshake. How we conduct business has likely changed forever more.

This is also true for the healthcare industry. Healthcare is transitioning out of hospitals and into other settings and environments. Patients (non-COVID patients) have been encouraged to stay at home this year in order to avoid overwhelming hospital systems. In an effort to deal with significant COVID testing and treatment, emergency hospitals were established all across the globe. Of course, the primary goal has been to deal with the pandemic and so, as a result, the security posture of these emergency healthcare IT networks has not necessarily been the number one priority. The industry has been under extreme duress and now with less secure healthcare IT networks, adversaries have been leveraging the pandemic in an opportunistic way. The healthcare industry has been victim to a rise in cybersecurity attacks. Exploiting COVID-19! 

This duress has also resulted in greater demand for telehealth and telemedicine. More and more patients are being consulted, diagnosed, monitored, and are receiving treatment outside of the hospital, in the comfort of their own homes. COVID-19 has forced a more rapid adoption of telemedicine and telehealth and while very much needed, the adoption of remote patient care has introduced a plethora of risks and attack vectors that may cause harm to patients who are relying on these devices. Remote medical devices lack the healthcare IT network security measures that a hospital can provide in a critical environment. Home and public network environments cannot provide the same level of monitoring and protection. With a weakened ecosystem, adversaries may be able to gain unauthorized access to these devices with the goal of stealing PHI, manipulating configuration settings, or launching ransomware attacks.

The adoption of telehealth and telemedicine requires special attention in terms of cybersecurity. Aggressive adoption without consideration of cybersecurity risks will result in an unstable industry and patients will be at risk. It is imperative for medical device manufacturers and healthcare providers to take a risk-based approach when considering a transition from hospital monitoring and treatment to home monitoring and treatment. Security risks must be considered at all stages of a device lifecycle, from concept, to development, to usage, and right through to decommissioning. Medical device manufacturers must now take into consideration the fact that many medical devices will communicate via unprotected networks and therefore require that appropriate security features be built in or retrofitted to a device.

The COVID-19 pandemic has completely consumed the healthcare industry this year! So, what have we learned from this? We have also learned that we need to better protect the industry in the event of another such pandemic. We have learned that telehealth and telemedicine can provide this protection as long as the adoption of remote patient care and technologies is balanced with the adoption of better on-device security features.

Anita Finnegan is the CEO of Nova Leah, the first provider of intelligent software solutions for addressing cybersecurity risk management compliance requirements for connected medical devices. She is an internationally recognized expert in the field of medical device cybersecurity risk management and is an active member of a number of International Standards Communities. Her PhD research focused medical device cybersecurity through the use of security assurance cases. In additional to many peered reviewed journals and a number of book chapters, Anita authored and was the international project leader for two technical reports (IEC/TR 80001-2-8 and IEC/TR 80001-2-9). She represents NSAI as Ireland’s medical device security expert at International Standards meetings and is a member of the following working groups: MITA’s MDS2 Canvass Group, NTIA Software Transparency Group, UL 2900 Steering Group and a Project Lead for the development of a new cybersecurity assurance standard for ISO/IEC 81001.