- Healthcare ranks among the top five industries most targeted by cyberattacks; this puts not only patient data but also human lives at risk
- Cybersecurity needs to become part of the organisational culture in both healthcare providers and medtech companies
- Governments can help by enacting industry-wide standards for cybersecurity in healthcare
Now, imagine this same scenario in the context of healthcare, where an electronic health record database, a connected life support system or a pacemaker gets hacked. Not only could sensitive patient data be lost; human lives are also at risk.
According to a report released by IBM in 2016, healthcare ranked among the top five industry sectors that experienced the highest incidences of cyberattacks. As the Internet of Things (IoT) weaves its way into clinics and hospitals and medical devices come with built-in internet connectivity, the need for heightened cybersecurity in the healthcare sector is greater than ever before.
“We’re facing a never-ending battle trying to close yesterday’s vulnerabilities, but the hardest part of all is predicting tomorrow’s exposures accurately,” said Mr Paul O’Rourke, Cybersecurity leader, ASEAN, PwC Singapore, who moderated a panel discussion on ‘Cybersecurity in MedTech–An urgent need for industry collaboration’.
The panel, convened as part of the Asia Pacific MedTech Forum held from 7-8 November 2017, consisted of Ms Miao Song, Chief Information Officer & Vice President, Johnson & Johnson; Mr Hirotaka Mieda, Head of Cyber Security Intelligence at BGC Group; and Mr Wayne Dennis, IoT and Cyber Security Expert, PwC Washington.
Building a cyber-immune systemThere are surprising parallels between biological infections and cyberattacks. If an individual’s immune system is strong, viruses are unlikely to successfully invade the body. Similarly, if hospitals and manufacturers of medical devices pay attention to cybersecurity threats and put protective mechanisms in place, hackers will find it more difficult to infiltrate the healthcare system.
Highlighting the importance of top management in championing cybersecurity within organisations, Ms Miao noted that “Cybersecurity has to be a regular topic in the boardroom. Regular, updated education, is super important.”
But simply having a boardroom discussion is insufficient. Any insights and actions to be taken must be disseminated throughout the ranks of the entire organisations—after all, people are the weakest link in the cybersecurity chain.
“From a hospital standpoint, staff may be aware that medical devices provide hackers with a backdoor or foothold into the organisation, but they’re not going to apply the appropriate security controls because they just don’t know how,” said Mr Dennis. Therefore, equipping employees with even the most basic of defensive habits, such as the changing of default passwords on medical devices, could go a long way towards deterring cyber criminals.
And while prevention is better than cure, the healthcare industry should work under the assumption that a successful cyberattack will eventually occur, and plans should be drawn up to ensure that operations can continue or quickly resume in the aftermath.
“Protection and detection is necessary, but containment and remediation [after a cyberattack] is also very important,” said Mr Mieda.
Raring to be regulatedAlthough medical device manufacturers and hospitals are seeking to improve their own cybersecurity measures, there is currently no industry standard for them to abide by. This lack of regulatory oversight has led to a fragmented ecosystem riddled with vulnerabilities, said the panel.
In a surprising turn of events, medtech industry players that typically focus on product functionality and speed-to-market are now calling for health authorities to mandate more stringent cybersecurity guidelines.
“One key role that the government can play is to coordinate efforts across the entire sector by clearly defining a common cybersecurity framework. For example, the requirement for embedded cybersecurity elements can be made part of the medical device approval process,” said Ms Miao. This would force vendors to engage with cybersecurity experts early on during the product development life cycle.
Mr Mieda agreed, adding that such regulation would make cybersecurity a benchmark of quality, giving cyber-aware medtech firms a competitive advantage.
Models and motivationsAsked if there was a model of effective regulation pertaining to cybersecurity, the panel repeatedly used the finance sector as a point of reference. Segregating internal networks, implementing multifactor authentication for account access and appointing compliance officers to enforce cybersecurity protocols are just a few of the barriers that banks have erected to ring fence assets and protect customer information. Given the many analogous processes in the healthcare sector, regulators need not reinvent the wheel—they can simply adapt and apply these best practices.
Nonetheless, alluding to the multiple nuclear disasters that occurred before nuclear energy production was held to a higher safety standard, Mr Dennis raised the thorny question: what has to happen before cybersecurity gets prioritised in medtech?
Speaking from his experience in cybersecurity forensics, Mr O’Rourke revealed that cyberattacks resulting in significant financial loss are often the wakeup call for organisations. With higher stakes—human lives—in the healthcare sector, he urged medtech firms and hospitals to start the conversation on cybersecurity sooner rather than later.
“Cybersecurity is more of a dialogue through development life cycles and through risk in the organisation... Once it’s on the agenda, it gets talked about more and it gets embedded throughout the industry,” he concluded.