Medcrypt

The Medical Device Cybersecurity topic has now been 15 years in the making. Kevin Fu’s 2008 IEEE paper about his research into Pacemaker and ICD Cyber Risks can generally be considered the beginning of a long public discussion on this topic. Many of us have been “along for the ride” and have contributed to solving this pesky problem - yet, we also have felt at times that there is no or little progress made ... until now.

Working here at Medcrypt gives me the opportunity to interact with a select group of experts who truly live and breathe medical device cybersecurity. Over the course of their careers, these experts have written regulatory guidances, reviewed medical device 510(k)s, built products that solve the underlying security problems, and have published, presented, and educated on the topic. I took the opportunity to speak with Mike Kijewski, CEO, Vidya Murthy, COO, Seth Carmony, VP of Regulatory Strategy, and Naomi Schwartz, VP of Services and asked them to reflect on their experience on the topic and why 2023 felt like a breakthrough.

Mike points to the underlying root cause: “the shift of security responsibility from the network operators to the product developers, both via FDA guidance and the White House National Cybersecurity Strategy.” Seth adds that “market forces drive us to security maturity, period. Documented attacks, SEC, FDA, HDOs collectively exert market powers and force our industry from reactive to proactive security and to a state of reducing security debt rather than managing it.” Vidya further interprets these trends: “Prior to 2023, it always felt like the product security was ‘product security's problem.’ This year changed the game for everyone including IT, Regulatory, Quality, and C-Suites.”

Naomi summarizes: “Everyone who has been dragging their feet is now being forced to quit procrastinating. Not everyone is responding with full effort, but finally, everyone is starting to spin up on it.”

Having said that - was 2023 just a blip or can we expect this momentum to continue into 2024 and beyond?

Looking at observed behavior, Naomi thinks the momentum will continue: “we have seen a handful of big MDMs really shift gears and get much more focused on cybersecurity; we see a handful resist and start failing to get product cleared by FDA, then shift gears in response; we see a handful resist even harder and get warning letters or have major security events that make the news (both are already happening); we see mid-sized companies scrambling to catch up; we see new companies starting with secure-by-design - making them more attractive acquisition targets. But also, we will see a handful of companies tank and disappear for a number of reasons, cybersecurity being one of them.”

Seth looks at the big picture as cybersecurity is changing not only in the medical device space: “I think as I look to 2024 I believe there is a societal recognition that cybersecurity is essential to critical infrastructure and the market incentives, real and contrived, will continue to move us in the right direction. We now have a number of accelerators, such as new laws and regulations, that should be able to bend the trendline, and combined with technology enablers, such as AI, are expected to lead to a more secure and safer future.”

Looking at real-world data, Vidya concludes that “given the increase in ransomware incidents in health systems, security is no longer a nice-to-have. The reality is that attack vectors, relative to patient safety, do not discriminate. I believe going forward we will see defacto requirements from not just the regulators but also health systems that cannot be bypassed / deprioritized due to other emergent features or business requirements.”

And we have the data and evidence to back this up. With the ever-evolving threat landscape, we are observing an increase in the sophistication of attacks which in turn results in a higher impact (larger breaches, higher costs, critical and longer operational impact). Especially in healthcare, any security incident is, directly or indirectly, tied to patient health. A recent study showed that during ransomware attacks the number of Medicare patients that die while in hospital care increased by 25% (from 3 before to 4 in 100 during an attack). That leads to an estimated number of 42 and 67 excess deaths of Medicare patients for the 2016 to 2021 time frame. But as the authors state, “we are only just beginning to understand how ransomware attacks affect patients’ health outcomes.”

Another important factor to consider is the financial well-being of healthcare organizations. Most run at a very slim (1% or less) profit margin and the combination of ransom payments, recovery costs, and lost income can have dire consequences for organizations' financial viability.^,

Although not all attacks are as blatant as the example of a security company hiring hackers to help them drum up business, adversaries are very creative in strategizing new attack schemes that help them meet their goals. For example, the objective of any ransomware attacker is to maximize payout and increase pressure to assure a victim's willingness to pay. So, over the past years, we went from encrypting data for ransom, to schemes that encrypted data as well as backup, to what is now called double extortion i.e., ransoming the hospital to get their data back and then derive additional revenue from the threat of releasing the acquired sensitive information. Or, as another example of recent developments, ransomware gangs have filed a complaint with the SEC about their victim not following their legal reporting obligations. With attackers’ seemingly endless creativity and as we follow this trajectory of escalating aggressiveness, we can see how medical devices could easily be caught up in a future level of escalation.

But for every action, there is a reaction. Regulators and lawmakers increasingly recognize the need to reign in the lack of cyber readiness in critical industries, including in healthcare. The FDA recently released their final cybersecurity premarket guidance and we can expect that 2024 will bring a number of enforcement surprises. We would expect the industry to pivot quickly, within the given systemic constraints, and lawmakers on a federal and local level will step up their “support” coupled with their willingness to directly make executives responsible for the lack of security in their organizations.

Between medical device regulators' action (domestic and international) as well as other government cybersecurity initiatives, 2023 was indeed a watershed year. In parallel, financially and politically motivated cyber adversaries continue to develop their capabilities, leading to increasing cyber losses as well as risks to critical infrastructure. Producers of software-based products will need to continue to improve their products’ cyber resilience. Operators will need to manage, and to a large extent phase out, insecure legacy devices as well as improve their overall security infrastructure. 2024 will, in our opinion, not only continue the previous years’ trend but will also need to prove that we, collectively as an industry, can change and can do so fast enough.