Healthcare cybersecurity 2022: Learning from the cutting edge
By Mike Kijewski. Originally published in DOTmed on January 7, 2022
To be successful in the medical device space, you must be innovative, quick to market, and secure by design — yet, competition is tougher than ever. And we need to do so with high efficacy and efficiency to stay in customer, regulator, and patient good graces.
The underlying requirement is the assurance of secure connectivity and operation, which according to most security professionals, is not guaranteed. Instead, it’s a persistent challenge and continual effort to keep up with ever-maturing adversaries.
As an industry, security practitioners have issued frameworks and standards to guide security best practices that, when employed, can reduce the risks and consequences of a security incident. But what happens when today’s best practices become outdated?
There was a recent device vulnerability disclosed that focused on plaintext in radio communication. The affected device was sold from 1999–2019, which means the design of the device began a couple of years prior. But back then, security best practices barely existed and there was little concern about the usage of plaintext communications. Yet in 2021, this practice is considered high risk and required a vulnerability disclosure, release of a patch, and notification of patients.
This leads to the question: What are we doing wrong today that could lead to recalls in 2030?
It’s easy to gravitate toward the latest cutting-edge technologies, like quantum computing, artificial intelligence, or blockchain as potential disruptors of today’s security strategy. But an adversary mindset might lead to a different conclusion. Perhaps the reason plaintext was acceptable in 1999, no expectation that someone would even want to break this type of communication. And more importantly, technology at the time did not make it easy to implement more secure communication — and neither did it support concerns about breaking it.
What could be motivating attacks in 2030 that aren’t visible today? Will it continue to be supply chain driven, focusing on pervasive, low-level vulnerabilities? Perhaps it will evolve into operational technology attacks, which we’re already witnessing with increasing frequency. Or instead of attempting to extract data from organizations, attackers may seek to interrupt availability, the impact of which was felt in a recent AWS outage.
Admittedly, future-gazing is a luxury in this industry and we rarely get it right. Further, most frequently, successful security is unappreciated, if not unnoticed. But the reality of medical device cybersecurity is that decisions made today are resulting in security debt that will have to be repaid in the future and has the potential to impact a manufacturer’s business in a significant way.
As you set security priorities for the next year and decade, ask yourself what if your organization has to face a future recall because of a security decision you made today — would that change the approach you are taking?
Regulators, security experts, and customers are all aligned around the objective of devices being designed for security and for the future. But has that been translated to a secure product development lifecycle? And if we’re not spending the money to design for the future today, we must, at a minimum, establish robust postmarket practices that include maintaining devices’ security posture and strategically choosing end-of-life products that no longer meet the required level of security.
About the author: Mike Kijewski is the CEO of MedCrypt. Mike is passionate about new advances in the intersection of internet technology and healthcare. Prior to starting MedCrypt, he was the founder of Gamma Basics, a radiation oncology-focused software startup. Gamma Basics was acquired by Varian Medical Systems in 2013.
Mike is a 2021 San Diego Business Journal Top 40 Under 40 and holds an MBA from the Wharton School, and a Master of Medical Physics from the University of Pennsylvania.