October is National Cybersecurity Awareness Month (NCSAM) in the United States. A collaborative effort between government and industry, this campaign aims to raise awareness about the importance of cybersecurity. This coincides with CyberSecMonth, the EU’s annual equivalent that builds awareness across Europe.  

Towards the end of September, before National Cybersecurity Awareness Month had begun, MedTech Boston Conference took place. During this three-day event, more than 3,300 of the world’s top MedTech executives gathered in Boston to discuss the latest news, insights, innovations and business development opportunities related to the medical device industry.  

Rather appropriately, a great emphasis was placed on cybersecurity. This was no anomaly however, for the past number of years cybersecurity has figured prominently in the event schedule. As our healthcare system continues to evolve and integrate connected devices into medical practice, the spotlight placed on cybersecurity will continue to grow, and rightly so. 

Nova Leah’s Standout Talks at MedTech Boston

In August, Nova Leah attended Black Hat and DEFCON, two of the biggest events of the information security calendar and provided a number of event takeaways. For MedTech Boston, we wanted to highlight one particular discussion that we believed provided the “key message of the conference” and was quite pertinent to the current cybersecurity industry. The discussion, titled ‘It Takes a Village’, contemplated the importance of proactivity and collaboration in cybersecurity. Before we delve deeper into this however, we wanted to shine a light on two other standout talks from the conference.

‘Preparing for Medical Device Cybersecurity in 2020’ – Vidya Murthy

Vidya Murthy is the Vice President of Operations at MedCrypt, a leading cybersecurity software provider for medical devices. In this session, Vidya discussed how device cybersecurity is a shared responsibility between device vendors, healthcare delivery Organizations and others. In her talk, Vidya noted the central role technology has played in advancing the quality of healthcare but was quick to point out that this advancement has brought greater cybersecurity risks. This has led to a need for medical device manufacturers to be proactive in their cybersecurity monitoring.   

Recent medical device regulatory guidance from the FDA echoed this sentiment and underscored the need to prepare for anticipated changes. The FDA has stated that proactively analysing security within medical devices increases patient safety and reduces risk to public health. Vidya argued that, as the FDA places greater emphasis on proactive security, soon the agency simply won’t approve devices that don’t deliver on these proactive measures.   

Vidya distilled the FDA’smust-have product features into four main components: 

  • Encrypt  
  • Sign 
  • Monitor  
  • Track vulnerabilities 

Companies must encrypt all data, sign off on all software, monitor current vulnerabilities within the industry and track the impact of these vulnerabilities.   

Another interesting point emerged when Vidya was asked about how medical device manufacturers should portion legal liability. According to the speaker, MedCrypt has found that some cybersecurity insurance companies give discounts if medical device manufacturers can show that they’re using professional tools to bolster security and proactively monitor vulnerabilities.  

SelectEvidence from Nova Leah is one such professional system that guides medical device manufacturers through the processes of identifying applicable threats to their products and implementing the right security controls to mitigate those threats. Initiatives such as this, which reward positive medical device cybersecurity practices is something we support.  

‘Essentials of Regulatory Digital Transformations’ – Christopher Kneer

Chistopher Kneer is CEO at Mareana, a big data and advanced analytics company. In his talk, Kneer discussed how the increasing complexity, and integration needs of global regulatory requirements are placing new pressures on organizations. He also stated that companies that initiate and advance regulatory data digital strategies will enjoy significant advantages not only in compliance, but growth and efficiency.

We noted this talk as it echoed a recurring theme that we heard throughout the entire conference. This goes back to the idea of addressing and overcoming the challenges of working in an increasingly digitized world.  

New disruptors to the industry will bring new products, new software, new ways of doing things and significant advancement. However, it also brings new challenges, regulatory requirements and cybersecurity risks. This concurrent growth of cybersecurity challenges will continue to be a feature of digital progression. Therefore, organizations of today need to view security as something that is ingrained into the product rather than an auxiliary feature to it.  

Our Key Message from MedTech Boston

From a cybersecurity perspective, the key message of MedTech Boston Conference came during the panel discussion – ‘It Takes a Village: How the Health Care Community is Working Together to Tackle Cybersecurity’.

This discussion featured senior representatives from Health Sector Coordinating Council, H-ISAC, MDIC, FDA, AdvaMed, and Abbott. The topic in discussion was that ‘managing cybersecurity in the healthcare community is a shared responsibility, all participants must proactively do their part’.

During the discussion, two key points were raised that demonstrated a great evolution of the industry’s approach to cybersecurity. The first point was that “proactivity not reactivity” is key to securing medical devices. Organizations must continuously monitor for vulnerabilities before they can be exploited. This line of thinking is consistent with requirements set out by the FDA which ensures that both pre and post market regulatory strategies are in place for all products. The impetus is now on organizations to demonstrate how they are going to manage devices on an ongoing basis and react to potential challenges before they arise.

Collaboration was another focus of the discussion. The ‘village’ theme of the discussion came from the realization that cybersecurity is a group effort, where all stakeholders share responsibility. The onus is not on any one stakeholder but multiple stakeholders including researchers, hospitals, healthcare officials, regulatory bodies, and medical device manufacturers.

Suzanne Schwartz, of the FDA, identified this new-found emphasis on collaboration as a huge step forward. Schwartz referred to a 2014 FDA workshop that descended into a finger-pointing exercise, trying to find one party to place the blame of cyber breaches upon. Schwartz went on to say that the 2019 collaborative approach showed a new level of maturity and understanding. Accompanying this, the FDA has highlighted three key aspects of a collaborative cybersecurity approach:

  • Trustworthiness
  • Transparency
  • Resilience

The dual messages of collaboration and proactivity was one we are firmly behind. Proactive monitoring is a key component of SelectEvidence, Nova Leah’s risk assessment platform. Our system also, leverages the National Vulnerability Database to spot existing vulnerabilities. This database is itself a crowd-sourced, collaborative repository.

Much More Than a Cybersecurity Issue    

A key message that we would like to finish on also emerged from the ‘It Takes a Village’ discussion. Greg Garcia of the Health Sector Coordinating Council noted that “as we’ve evolved, it’s become much more than just a cybersecurity issue”. The panel went on to discuss how the seriousness of medical cybersecurity often gets lost in the concept.  

Organizations sometimes think of cybersecurity as a box that must be ticked or an ancillary component of technological advancement. However, as we become more connected, cybersecurity boils down to allowing medical professionals to do their job correctly and protect patients’ lives. 

A hospital needs all its medical devices working properly and in tandem with one another. A patient could be depending on several connected devices to keep them alive. Data breaches in those instances can be matters of life and death. It is therefore up to each stakeholder to work collaboratively and protect the entire system of patient healthcare. This was the overarching message of the discussion and one worth reflecting upon for the year ahead.   

We hoped you enjoyed our key takeaways from MedTech Boston. If you would like to read more articles like this, we suggest checking out Nova Leah’s Key Takeaways from Black Hat and DEFCON 2019.