Responsibility for health and medical device cybersecurity must be shared

Open your newspaper or laptop on any given morning nowadays and you are bound to find a fresh report about the urgent need to address the nation’s extreme vulnerability to cyberattacks at the hands of hostile foreign governments. No sector is currently less prepared, hence more at risk, than the health sector.

The FDA has made it clear that health and medical device cybersecurity is an urgent matter. According to the agency’s recent fact sheet, “Medical devices, like computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage emerging cybersecurity risks, manufacturers can reduce cybersecurity risks posed to devices and patients.” Are we prepared? Are hospitals prepared?

The growth in such cybersecurity vulnerabilities is largely driven by a sharp growth in third party ties. Providers expect the number of third parties they contract with to grow at an annual rate of 30%, from 1,950 up to 2,541 in the next 12 months. Of the third parties, 43% have access to patients’ personal health information, putting providers at higher risk of a breach or hack.

On March 8, 2022 the FDA issued an alert on vulnerabilities identified in medical device software components where it warned that “successful exploitation of this vulnerability could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition.” Are we prepared? Are hospitals prepared?

An essential strategy in advancing medical device cybersecurity is a regular working partnership between FDA-regulated manufacturers and the end user. With medical device makers held to increasing cybersecurity standards and regulations, an imbalance currently exists and more must be done to convince health systems to go all-in. We are not prepared. It’s time for the American healthcare system to step up – and particularly hospitals.

In April of this year, the Department of Health and Human Services posted an alert to healthcare organizations of an “exceptionally aggressive” ransomware group that is targeting hospitals. Hospitals have struggled to roll out comprehensive cybersecurity programs for years. COVID-19 exacerbated the problem and cyber-breach reports to HHS in the second half of 2020 climbed 36% over the prior six-month period.

Not surprisingly, cyber-attacks target those hospitals with the least amount of security – smaller, rural providers. A ransomware attack shut down all the phone, computer and email systems at non-profit Coos County Family Health Services, the main health provider in New Hampshire’s Androscoggin Valley that serves about 15,000 patients. In February of 2021, Rehoboth McKinley Christian Health Care Services — a rural not-for-profit on the edge of the Navajo Nation in New Mexico — was also ground to a halt by ransomware.

In 2021, according to one survey, the industry set aside about 6% or less of its IT budgets on cybersecurity — with two out of every five respondents reporting their cybersecurity budget remained the same or shrank last year. At the same time, 73% reported they rely on legacy operating systems like Windows 2008; only about half said they’ve implemented a comprehensive network monitoring tool or intrusion detection and prevention system.

Per an investigative report in STAT, “Such an attack can be devastating for a health system of any size and scary for anyone relying on its care. But for smaller hospitals and practices, the costs — both to patients and to the bottom line — can be especially steep. Experts say that small, rural providers are also less likely to be prepared to defend, resolve, and recover from a ransomware attack than their larger, urban counterparts.”

Hospitals have increasingly become targets, with hackers betting that executives will pay quickly to restore lifesaving technology—adding even more pressure to healthcare providers already strained by the pandemic. In May 2021, the FBI warned that ongoing ransomware attacks on medical providers and first responders were putting the public in danger and risked delays in medical care.

A study sponsored by Boston-based health data security company Censinet, found the COVID-19 pandemic has resulted in less confidence among providers in mitigating the risks posed by ransomware. Of the health delivery organizations surveyed, 61% have been victims of ransomware attacks, and of those that have been hit, 33% have been hit more than once. Meanwhile, 61% of providers aren’t confident in their ability to combat ransomware, up from 55% pre-COVID-19.

A survey from the Ponemon Institute found that one in four providers said their organization noticed a rise in mortality rates following an attack. Cyber-attacks on hospitals are nothing short of healthcare terrorism.

One of the key lessons learned from COVID-19 is that when the healthcare ecosystem works together, we can accomplish amazing things quickly. Healthcare cybersecurity must strive to learn and benefit from that opportunity. It’s time to put ideas on the table. For example, let’s make cyber readiness a part of accreditation with JACHO (the Joint Commission on Accreditation of Healthcare Organizations). How about  consider factoring cyber-readiness into quality evaluations à la CMS’ 5-star rating system for nursing homes? We can learn from past successes – and mistakes. We must be responsible. We must be prepared.

“Responsibility is a unique concept… You may share it with others, but your portion is not diminished. You may delegate it, but it is still with you… If responsibility is rightfully yours, no evasion, or ignorance or passing the blame can shift the burden to someone else. Unless you can point your finger at the man who is responsible when something goes wrong, then you have never had anyone really responsible.” — Admiral Hyman G. Rickover

• Peter J. Pitts, a former FDA Associate Commissioner and member of the United States Senior Executive Service, is President of the Center for Medicine in the Public Interest and a Visiting Professor at the University of Paris Medical School.