Jul 22, 2020
Industry experts urge greater collaboration in medical device cybersecurity

Connected medical devices continue to revolutionize health care. Whether used in a hospital or sent home with patients, connected health devices are increasingly prevalent. They extend care beyond the clinical setting, create fail-safes for human error, and provide essential data that can help doctors identify trends and make life-saving decisions.

The expansive growth in connected medical devices was noted during a recent panel discussion about medical device cybersecurity, hosted by global technology consulting firm Booz Allen Hamilton. Kelly Rozumalski, secure connected health director for the firm, said, "When we look at the broader digital health care market, things such as 5G, cloud, edge computing and wearables, these are all things that are enabling the market to grow at an extremely fast pace.” It’s a trend that shows no signs of slowing down. Rozumalski asserted that there could be about 50 billion connected devices within 10 years.

With this growth comes broad and complex challenges, which health care providers, medical device manufacturers and industry regulators must address to secure connected health devices and protect patient safety and privacy.

“There is no one-size-fits-all approach,” said Rob Suárez, vice president and chief information security officer for BD, noting that every hospital and every patient environment is unique. “Medical devices can be in a hospital setting for 15 to 20 years, but new cybersecurity threats are emerging daily.”

Additionally, Rozumalski pointed to the complexity of securing the millions of connected devices being maintained by the patients themselves—a trend that may continue as patient care increasingly shifts away from the acute care setting.

The experts also talked about the challenge of addressing vulnerabilities in third-party components. Jessica Wilkerson, cyber policy advisor for the U.S. Food and Drug Administration (FDA), pointed to the need for a software bill of materials requirement.

"The software bill of materials (SBOM) is essentially this idea that you can't protect what you don't know you have,” Wilkerson said. “This is the problem in software supply chain development, and it’s not just with medical devices. This happens across any product with software in it. If you don't know what the product is built out of, when those components end up having vulnerabilities, you don't know where to look.”

Referencing the impact of COVID-19, Wilkerson said, “What the pandemic has really underlined is that the criticality of having information available before a crisis hits really cannot be overstated."

Needs such as this are why BD makes its product security documentation available through the BD Product Security website, including product security white papers, which incorporate a Manufacturer Disclosure Statement for Medical Device Security (MDS2).

“Here at BD, we strive for transparency and include third-party products or components in our product security white papers and in our product security incident vulnerability management plans,” said Suárez. “Making templates for these documents available to our customers and fellow medical device manufacturers is one more way we can help advance cybersecurity across the health care industry.”

The panel conversation illuminated one major theme: the need for greater collaboration between health care providers, medical device manufacturers and industry regulators. Working together, the health care industry can enable patient safety and privacy while driving the secure use and innovation of life-saving medical technologies.