Warnings about IoT vulnerabilities have resounded across 2020 cybersecurity predictions, but the greatest vulnerability of all is apathy. This charge can potentially be applied to anyone and everyone from healthcare providers to government agencies. What I want to focus on, however, is the supplier community.
I increasingly talk to CIOs and CISOs that express a frustration with the behaviour of their suppliers. It seems that many are ambiguous about proactively addressing regulatory standards that are specific to preserving patient safety. As the leaders I talk to often point out to me – it would be a competitive advantage if they did (let alone be ethical)!
This all applies especially to IoT devices, what with increasing interoperability, mobility and the dawn of 5G where the scope for system failures that could affect patient care are greater than ever. As someone who works extensively with the supplier community, I must admit there are only a handful that I know that are actively involved with the development of security and patient safety regulations. Let’s be clear, I believe that the vast majority of medical device and IoT suppliers in healthcare want to enhance patient care yet security is persistently a sore point. Why is that?
I believe it is apathy. Security has an image problem where it is seen as a technical problem rather than a clinical or organisational workflow risk. That means many devices and their platforms are becoming network connected without any significant and ongoing clinical risk assessments based on potential security compromise. If there has been such an exercise it was a check box routine that hasn’t been revisited in months and maybe years. C-level executives believe security is in hand at a technical level without any further investigation because it is a complex subject to understand for those without a technical background.
There’s also the myth that once a device or platform is deployed to a healthcare provider then the vast majority of responsibility is transferred to them based on their network security. This is a tremendous risk because prevention and response depend on a clearly coordinated relationship between both those parties.
The fact is that suppliers can no longer bury their heads in the sand and cite a single ISO standard when questioned. Investments need to be made to take on Clinical Safety Officers and build clinical risk teams. In England, a mandatory standard actually cites this requirements (DCB0129) and the EU MDR/IVDR now have supporting cybersecurity guidance that take many of the principles of this and combine it with security best practice that has been heavily influenced by previous FDA guidance. New ISO series standards will also emerge in 2020 that also lean heavily on these.
It’s time to end the excuses and start investing in people and processes so that the technology can do what it needs to do.