Cybersecurity: FDA Leads While CIA Leaks

A recent BioBreakfast — a weekly gathering of individuals in the Pittsburgh, Pa., life sciences sector — featured Christian Barrow and Rohit Mehrotra, executive directors from J.P. Morgan Commercial Bank in Philadelphia. The pair provided takeaways from the recent J.P. Morgan Healthcare Conference and discussed their office’s capabilities in helping to grow life science companies. One of the event sponsors was Pittsburgh-based cybersecurity firm Ethical Intruder. CEO David Kane shared with me his perspective on security challenges for medical devices, health IT, and hospitals.

Ethical Intruder was founded in 2010, and one of its primary services is evaluating other companies’ product offerings to identify vulnerabilities or ways for a malicious person to use the product or data in unintended ways. “We’re the Consumer Reports of product security,” Kane quipped. In short, people come to Ethical Intruder for an independent evaluation of their cyber vulnerability. The Ethical Intruder team comprises experienced product development and software engineers, who evaluate vulnerability and simulate malicious breaches. The company began with a concentration in protected healthcare information (PHI) but, as medical devices became interconnected with health IT systems in hospitals, the need for enterprise cybersecurity was created.

The Buck Stops Where?

Hospitals, other healthcare institutions, and medical device companies have to be concerned about the devices, IT infrastructure, and software that they deploy, as a lot is at stake — including a public relations nightmare — in the event of a data breach. Earlier this year, the FDA issued a safety communication regarding cybersecurity vulnerabilities identified in St. Jude Medical’s implanted cardiac devices and Merlin@home transmitter. The FDA confirmed that cybersecurity vulnerabilities associated with the transmitter, if exploited, could allow an unauthorized user (i.e., someone other than the patient’s physician) to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home transmitter. The altered transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.

Kane explained, “When working with a hospital, we look at the hospital’s responsibilities for the processes they are doing themselves, or how they connect externally with partners through the transport of information. We analyze the business risk of cybersecurity vulnerabilities from multiple angles, including reputational loss, financial loss, technical aspects of how they are protecting themselves, and how they are training staff to prevent a breach.”

To emphasize Kane’s point with a well-known commercial example, recall the Target data breach in late 2013. Cyber thieves were able to collect identity and credit card information through vulnerabilities in the point-of-sale (POS) hardware and software used in Target stores. Vendors of the POS systems were not the focus of the story; it was Target that settled with the financial institutions behind VISA and MasterCard for over $100 million. It was Target’s reputation that was soiled, and it was Target that experienced a massive drop in sales as customers lost confidence in the company’s ability to securely handle electronic financial transactions.

Minimizing Regulatory Penalties

While the financial and reputational impacts of a cybersecurity breach may be unavoidable, there can be additional penalties if a company is found to have been negligent in taking proper steps to eliminate, or at least minimize, the potential effects of an exploited vulnerability.

“If there is an issue, it is important to show that you were aware of the possibility, took steps to control it, and have a plan in place to address the vulnerability to minimize or eliminate any regulatory penalties. Additionally, doing so can provide some measure of damage control in the media,” Kane commented.

Kane also said that proper approach and mindset are critical. The risk of vulnerability is a function of the platform chosen, the specific implementation of the system, and the process used to select and evaluate the platform and implementation.

“It’s not a matter of complying with a cybersecurity mandate; we have to focus on building in technical safeguards during the development process,” he said. “There is no one-size-fits-all solution. We have to evaluate the maturity of all areas.”

Do It Right The First Time

Classical project management deals with three variables: scope, schedule, and budget. If you change one of the variables, it will have an impact on at least one, if not both, of the others. Coming from a product development background, Kane looks at project requirements as: on-time, on-budget, and exceed expectations. But, being a “white hat” hacker, he adds to that list consideration for cybersecurity.

“Often, doctors come up with great technological solutions because they were frustrated with how something did not work for them in the past. They develop a proof-of-concept solution and proceed down the development path. Unfortunately, when it gets close to selling their product or going through the regulatory process, they find out, all too late, that they didn’t include some of the security controls they should have. That can either flat-out kill a company, or severely delay the roll-out,” Kane said.

Knowing that the scope, schedule, and budget interact, I asked if cybersecurity considerations have a significant impact on the product development effort as a whole. Kane explained, “Building something that will be more secure does not necessarily mean a huge effort. It does not have to add a lot of additional cost or a lot of complexity, if done from the beginning of the project. Added cost comes from not knowing the full set of requirements, including security, and going down a path that will require re-engineering and the associated additional cost.”

Tearing Down The Silos

Ethical Intruder uses the Cyber Liability Maturity Model (CLMM) with its clients to create a cybersecurity road map. Clients include hospitals and medical device companies, along with cyber liability insurance companies. Kane explained that cyber liability insurance became popular about two years ago as the need for protection from catastrophic data breaches became necessary, but the challenge is how to do the underwriting for the insurance.

The CLMM can help an insurance company set a premium for cyber liability. The CLMM process itself is fairly straightforward, but works best under the leadership of the business owner, the CEO, or a high-level executive. A cross-functional team of high-level leaders is assembled to review policies, map existing assets, provide awareness and training, identify resource needs, test existing infrastructure, plan for incident response, and review contracts, among other things. The team is built to include the executive leader and members from legal, HR, compliance, IT, security, and sales & marketing. When set up and executed well, this team begins a cultural and psychological shift in the company’s thinking, and transforms relationships between departments.

As Kane was explaining all of this to me, I was reminded of January’s FDA webinar on the roll-out of its guidance document for postmarket management of cybersecurity. After FDA’s presentation, agency representatives fielded questions, and one caller inquired about building a team for cybersecurity. The response was provided by Dr. Dale Nordenberg, executive director of the Medical Device Innovation, Safety, and Security Consortium (MDISS).

“The nature of your question exposes a challenge we recognize across the entire industry. That challenge is cybersecurity and medical device functions, and ultimately that the evaluation of those functions, vis-à-vis patient harm, is really a multi-disciplinary capability or expertise,” Nordenberg said.  “Many companies have been going through a process of standing up cybersecurity activities and bringing together activities that had historically been siloed.”

He went on to describe some of the silos that must be broken down to improve inter-company collaboration, and they included software development, security, and regulatory. Looking at the similarities between Dr. Nordenberg’s response and Ethical Intruder’s CLMM, I believe a cross-functional team-based approach is clearly the right direction for medtech cybersecurity.