March 1, 2024
By Vidya Murthy, Medcrypt COO and Axel Wirth, Medcrypt CSS
As we demonstrated in Part 1 of this blog as well as reported in public media through the coverage of individual security events (domestic and international), healthcare delivery systems are increasingly under attack, resulting in compromise of sensitive data, ability to deliver care, and ensure the safety of their patients. Consequently, in the last 18 months there has been added emphasis to specifically raise the bar for cybersecurity in healthcare in general and for medical device cybersecurity in specific.
This includes:
Collectively, the developing legal and regulatory strategy is taking a two-pronged approach by improving the security maturity of devices and systems hospitals are buying while also raising the bar on improving the security posture of the environment they operate in, i.e., the hospital networks. The overall trend is to move away from having healthcare delivery organizations (HDOs) solely carry the burden to ensure and manage the security of devices within their network. The growing momentum between regulators, the government, and consumers is to increase the de facto security that comes with devices.
October 1, 2023 saw the implementation of the eSTAR program by the FDA. While this may seem tangential, it does act as an entry gate and enforcement step for manufacturers to demonstrate that they are meeting FDA cybersecurity requirements. If those requirements cannot be demonstrated, the submission does not “Pass Go” and the review process will not begin. This transition moves enforcement from idiosyncratically relying on the reviewer, to now being systemically enforced across submissions. Anecdotally, we have observed a 700% increase in rejection due to security alone when compared to the prior quarter.
Additionally, other agencies have started to establish mature security expectations and have demonstrated their willingness to enforce. Early in January, the Federal Trade Commission (FTC) sought action against a CEO and CFO for poor data protection practices. Equally interesting is the notion that the FTC is enforcing action against the CEO for the next ten years, regardless of place of employment. This quite obviously cements security practices as ‘set at the top.’
Lastly, the Securities Exchange Commission (SEC) rule requiring disclosure of material cybersecurity incidents went into effect mid-December of 2023. Interestingly, ransomware gangs have taken advantage of this rule by directly filing to the SEC when a company refused to negotiate after a ransomware attack, i.e., a material breach.
At its simplest — cybersecurity can be seen as a partner in growing revenue opportunities, rather than the historic view of it being a cost center without value. When the leadership team does not strategically utilize security and risk management to make informed decisions, security will almost assuredly result in the perception of a cost center and will not be able to meet today’s market needs and legal and regulatory expectations.
While there have been several publicly cited instances of stock value loss after a breach, in addition to reputation and legal impact, at the end of the day, patient safety is the ultimate goal of any security program. The ability for connected healthcare to fundamentally change care delivery is widely discussed, and with novel data opportunities emerging requires a responsible sharing of responsibilities and mature security table stakes.
Regulation will keep maturing, including expected updates of the HIPAA Security Rule — but if healthcare waits until the regulators show up, the challenge in meeting mature expectations will be insurmountable. By starting the process of understanding and aligning security initiatives with business opportunities, the mindset around security can start to shift and the business can take advantage of this new legal and regulatory environment.
Looking for support meeting FDA cybersecurity requirements to secure medical devices by design and improve patient safety? Connect with Medcrypt for the ways we can help your organization. Email us at info@medcrypt.com and visit our website.
December 13, 2024
December 4, 2024
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information