by Drew Bomett, VP & Chief Information Security Officer, Boston Scientific
Increasingly, hospital systems today find themselves targeted by cybercriminals. A Journal of the American Medical Association report found that between 2016 and 2021, the number of ransomware attacks on health care delivery organizations more than doubled, with attacks growing larger and more severe, ultimately exposing the personal health information of nearly 42 million patients. Sensitive data isn’t the only thing at risk in a cyberattack; the risk extends to patient care and safety.
Network connectivity for interoperability has become vitally important for medical devices. This connectivity benefits patients, but it also comes with risks to manage. Hospitals and manufacturers have a shared responsibility to ensure that those connected systems remain safe, secure, and effective — a responsibility which, as per a new FDA regulation, is now officially a requirement.
The medtech industry has an important role to help reduce cyberattacks on hospital systems.But to do so effectively, we need to continue to work together.
Why create a uniform cybersecurity standard?
Medical devices are increasingly designed to interoperate with other systems and technology, much of which is provided by different manufacturers – each with varying cybersecurity specifications and robustness. That variation has become an acute point of concern amid the fast-growing sophistication of the threat landscape. Accordingly, the process of vetting the security of each device has become exponentially cumbersome for hospitals.
For example, between 2004 and 2019, the standard risk analysis questionnaire for device manufacturers ballooned from 17 questions to 165 questions, an indication of the push for more transparency in the security design of medical devices. Additionally, some hospitals have created personalized cybersecurity questionnaires that can run to hundreds of questions. This results in much paperwork, overhead and uncertainty for hospital teams, which could be mitigated if manufacturers were to adopt a unified set of standards.
This past December, after years of FDA guidance on medical device cybersecurity, new, mandatory requirements for all medical devices were signed into law. These requirements will go into effect October 1, 2023. Ordinarily, this would constitute a very short turnaround for compliance. Fortunately, however, many of us within medtech had already begun working together on a set of standards that would fulfill the new mandate.
Collaborating to ensure safety from cyber threats and move our industry forward
Convincing competitors to work together isn’t always easy, but the medical device industry has a longstanding tradition of bringing diverse stakeholders together around united goals. Two such unifying organizations are the Association for Advancement of Medical Instrumentation (AAMI) and the Health Information Sharing and Analysis Center (H-ISAC). I’m proud to say that not only is Boston Scientific an active member of these organizations, but our co-founder John Abele helped create AAMI back in 1965.
Thus, as regulators were increasing their scrutiny on cybersecurity, Boston Scientific was already involved in devising solutions in our role as co-chair of the AAMI device security working group. That group’s successful collaborative efforts resulted in the June publication of a new landmark medical device cybersecurity risk management standard. It represents the very first guidance document for managing security risk across a product’s life cycle. Using this document as a roadmap for security risk management, medical device manufacturers can work to create a more unified cybersecurity landscape, which should help protect hospital security networks from attack and keep patients safe. While we will continue to remain vigilant in the face of evolving cyberthreats, this milestone document stands as an important reminder of how much the medtech industry can accomplish when we collaborate on behalf of what we can all agree is our highest priority: the patient.