By Randolph Fillmore
In 2021, San Diego-based Scripps Health suffered a cyberattack that forced them to take a portion of their information technology (IT) system offline for several weeks. The hackers stole the health data and personal financial information of 150,000 patients. The attack significantly disrupted patient care and forced medical personnel to take a giant step into the past – they had to use paper records.
Newman Regional Health in Emporia, Kansas disclosed a data breach that impacted 52,224 patients. The 25-bed critical access hospital said that an “unauthorized actor” gained access to a limited number of email accounts between January 26, 2021, and November 23, 2021. It is unclear exactly when Newman Regional Health first discovered the violation.
In January 2022, social security numbers, patient medical histories and bank account information were exposed when Broward Health’s network of more than 30 healthcare facilities in Broward County, Florida, was breached.
These data breaches may be the tip of the hacking “iceberg” as healthcare systems worldwide potentially face data disasters of “Titanic” proportions.
Can healthcare system cybersecurity be improved?
Improving healthcare system and medical device cybersecurity is on the “radar” of a number of healthcare professional organizations and healthcare regulators, such as the U.S. Food and Drug Administration (FDA) and the European Medicines Agency (EMA).
For example, the “Healthcare Information and Management Systems Society” (HIMSS), the self-described “global advisor, thought leader, and member-based society committed to reforming the global health ecosystem through the power of information and technology,” held a conference in Orlando, Florida, in mid-March 2022.
Have a med-tech story to share? Schedule a Consultation
The conference included a “Healthcare Cybersecurity Forum” with information sessions such as “What Keeps Cybersecurity Professionals Up at Night?” and “Patient Safety and Cybersecurity: Lessons from the ER.”
Conference keynote speaker Sean Kanuck, CEO of the strategic consulting firm EXEDEC, addressed the topic “The State of Cybersecurity: Who's Coming and What Are They After?”
Healthcare is a unique industry, he said, and the risks involved have human consequences. “The nature of the healthcare business is about sharing information, with privacy standards, but the requirement for sharing information also introduces vulnerabilities,” said Kanuck.
He urged healthcare organizations to “use best practices, use good firewalls.” He added that it was good to outsource cybersecurity to sophisticated security specialists, as there is “too much risk for a hospital group to do cybersecurity in-house.”
Getting personal: Cybersecurity and wearable medical devices
According to the FDA, as wearable medical devices such as pacemakers and insulin pumps become more advanced, they also become targets for hackers, especially if the devices contain software for Internet connectivity. Medical devices, such as mobile phones that patients use to share their personal health information and data with healthcare providers, are also digitally interconnected and interoperable, making them vulnerable to cyberattacks. This vulnerability not only puts personal health data at-risk, but also potentially impacts the function, effectiveness, and safety of medical devices.
So, what is the FDA doing to advance medical device cybersecurity? Medical device manufacturers must already comply with U.S. federal regulations called “quality system regulations “(QSRs) requiring them to address all risks, including the cybersecurity kind. The FDA says, however, that it is working toward getting medical device manufacturers to build more cybersecurity safeguards into their products, even those still under development and pending FDA pre-market approval.
In an effort to firm up manufacturers’ pre-market cybersecurity responsibilities, on April 8, 2022, the FDA’s Center for Devices and Radiological Health (CDRH) issued a draft guidance “intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk.” FDA says that these recommendations can “facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.”
To strengthen medical device cybersecurity, the FDA is working closely with other federal government agencies, including the U.S. Department of Homeland Security (DHS), members of the private sector, medical device manufacturers, healthcare delivery organizations, security researchers and end-users.
To develop the 2022 draft guidance to be “tougher” than the 2018 version, the FDA incorporated input from stakeholders at various public meetings, comments from Docket FDA-2018-D-3443, and recommendations from the Health Care Industry Cybersecurity (HCIC) Task Force Report to identify cybersecurity issues manufacturers should address in the design and development of their medical devices.
In early April, Ferdous Al-Faruque, a writer who specializes in reporting on new medical device technologies such as mobile health, combination products, unique device identifiers, and issues surrounding interoperability and cybersecurity, said that by re-vamping its 2018 guidance on cybersecurity, the FDA took a big step by asking medical device manufacturers to think about cybersecurity in the context of its QSRs and within what the FDA calls a “secure product development framework” (SPDF).
That is – build your device with cybersecurity components if you want it to get FDA approval. One such commentary said that the 2022 guidance had “more teeth” than the 2018 version.
According to a recent publication on the Regulatory Affairs Professional Society’s website, medical device manufacturers would be wise to pay attention to validation, security, and usability engineering aspects of software, emphasizing that medical device manufacturers should find a balance between user need, intended purpose, benefit-risk, clinical claims and clinical data. Another focus area for medical device regulators is the evaluation of clinical safety and performance, and overall risk-benefit profile of products through a critical assessment of clinical data generated from its use.
Finally, consumers should scrutinize the level of security built into their medical devices, especially those communicating their personal health information to various healthcare providers.
More by Randolph Fillmore:
About Consonant Custom Media
Consonant Custom Media provides content marketing and storytelling for hospitals, health systems, nonprofits, foundations and life sciences innovators who want to make more meaningful connections with their communities of interest. We create original content that is truly consonant, or in harmony, with our clients' brand values and drives profitable consumer action.Clients use our original content strategically, to reach specific objectives in perception management, physician relations, service line development, sales and donor development.