Thanks to a software platform that analyzes the traffic to
MD+DI’s Web site, we have a pretty good handle on what kinds of articles our audience likes to read. We know, for example, that we’re likely to get a big jump in page views any time we cover a story on
jobs or
compensation (especially if it involves a
CEO). There’s also a predictable bump in traffic following a
megamerger between key industry players. Not surprisingly,
scandals and
lawsuits get people clicking, too.
But one topic that doesn’t seem to pique our readers’ interest is cybersecurity—especially given its potential implications for everything from patient safety to profits. I’ve been told time and time again by experts that cybersecurity should be top of mind for medical device manufacturers. But on our site, at least, the subject seems to be met with a yawn.
At the
MD&M West exposition in Anaheim, CA, this past February, I shared my hunch that many in the medtech industry don’t care enough about cybersecurity with Melissa Masters, director of electrical, software, and systems for consumer, industrial, and medical products at Battelle. She posits that it’s not that those in industry aren’t taking the issue seriously enough, but rather that many in the device business simply haven’t been forced to deal with the problem of cybersecurity directly yet.
Despite stunts like security researcher
Jay Radcliffe’s 2011 public hacking of his insulin pump and a 2012 episode of the Showtime drama Homeland that envisioned terrorists taking control of the U.S. Vice President’s pacemaker, there hasn’t been a reported instance of a medical device being hacked and used to physically harm a patient. But last October, the U.S. Department of Homeland Security reportedly investigated a Hospira infusion pump and cardiac implants from Medtronic and St. Jude Medical that the agency feared could be vulnerable to security breaches. And Masters says other device makers have been in the news for hacks that leaveraged their devices to access hospital networks.
But even those device makers that haven’t yet been hit by a cyberattack will have to start taking the issue more seriously thanks to the finalization of FDA’s long-awaited
cybersecurity guidance document this past October. The guidance encourages medical device manufacturers to develop design inputs related to cybersecurity and establish a cybersecurity vulnerability and management approach as part of required software validation and risk analysis. It also provides a recommended cybersecurity framework for manufacturers to follow and lays out recommendations for how companies should document the steps they’ve taken to ensure the cybersecurity of their devices in premarket submissions.
Now that the guidance is in place, Masters suspects “a lot of companies are going to run into a brick wall” with their submissions if they don’t have their cybersecurity ducks in a row. She says small companies are most likely to be lacking in the cybersecurity department—despite the fact that putting a
security plan in place isn’t usually a significant expense—but even some larger players
aren’t as prepared as they should be.
A talent shortage is partly to blame. “Cybersecurity experts are hard to come by,” Masters says. “Even some big companies don’t have them in-house.”
But try telling that excuse to FDA when it kicks back your submission or explaining it to patients or hospital customers when your device is the target of a cyberattack.
Cybersecurity is a problem the medical device industry simply has to solve. Data is fast becoming the lifeblood of healthcare, and its potential to change outcomes is huge. But all that information is worthless if it's not safe from meddling by malicious parties. Providers won’t purchase your products if they make them vulnerable to attack. And patients will never buy in to treatments if they can’t trust that the data shared about their health is secure.
Next time we run an article about cybersecurity, will you be reading?
