The title is probably a good quote to reflect the spirit of the first day of the public workshop on “Collaborative Approaches for Medical Device and Healthcare Cybersecurity”, jointly hosted by the Food and Drug Administration (FDA), Department of Homeland Security (DHS) and Health and Human Services (HHS).
The number one takeaway from today is the unprecedented collaborative spirit across all stakeholders. Not only the government agencies hosting the event, but across healthcare providers, medical device manufacturers, and security experts. Numerous discussion panels and plenty of audience participation made one thing clear: everybody recognizes the need to address the problem of medical device cyber-vulnerability and everybody is willing to let their guard down and constructively contribute to the solution.
As discussions revealed, the problem is complex and the solution will need to combine technical, procedural, workflow, regulatory, legal, and policy elements. And, it will not happen quickly. Working through process latency and replacing or upgrading an existing infrastructure of legacy devices will take time and will face technical and practical implementation problems.
It is a “system of systems” problem in an “industry of industries” ecosystem – and as we learned today, it is being addressed by an “organization of organizations”. Here some of the key takeaways from day one:
- The medical device industry can learn from other industries on how to approach this problem. Industrial Control Systems (ICS) started to solve this 10 years ago and even though there are differences, they do offer a blueprint we can learn from.
- However, one difference needs to be recognized: we are now facing much more serious attacks and sophisticated adversaries. For example, about half of the security incidents reported by CERT fall into the category of Advanced Persistent Threats (APT).
- The problem, and consequently the solution(s), has to be looked at in the context of today’s hospital operations – the priority remains patient care. And, it is not a problem limited to the individual device – the device is only as secure as its network, and at the same time, the device as potentially the weakest link is a security threat to the enterprise.
- There is a definite need for a framework to categorize threats, vulnerabilities, device types, and use cases. Not all medical device security incidents are created equal; some may affect care delivery and potentially even lives, others may have operational or financial impact.
- There is a need for a cross-stakeholder security council. Other industries have demonstrated this as a successful model, e.g. finance. There is an opportunity for a public-private partnership model.
- Healthcare providers are taking action; one panelist described it as having moved from “frustration to anger”. Increasingly, hospitals are now stipulating specific security requirements in their buying process, are actively testing devices, and are including cybersecurity in their device-related processes. However, hospital margins are slim and many can not afford to solve this on an individual level, we need to cooperate.
- Any solution framework developed needs to scale: pacemaker to MRI, small rural hospital to academic medical center, global manufacturer to small device company.
- On a technical level we need better device and enterprise security, but also the capability to alert, log events, detect tampering, support forensics, and aid remediation and recovery.
- There are a lot of misconceptions ranging from incorrect interpretation of regulation (no, the FDA does not require resubmission for a security-related software change) to the assumption that good security is too expensive – example, consumer devices like Nintendo Wii and xbox provide better security than our medical devices.
- The obvious challenge is the growing interoperability between medical devices and other IT systems, especially since we are now moving the care setting to outside the hospital. Security, reliability, usability, and interoperability should not be trade-offs. Today, more than ever, security can not be an afterthought.
I am looking forward to day 2 tomorrow.