Based on his recent keynote presentation at AAMI eXchange, TRIMEDX Senior Vice President of Cybersecurity Scott Trevino was recently featured in an article published by AAMI on health care’s cybersecurity landscape, threats that surround it, and what health systems and ISOs can do to be prepared. The published article, as it appeared June 17, 2023, is below.
Did you know that the cybersecurity threat landscape in healthcare has become so bad that even the powers that be in the proverbially gridlocked U.S. capital are taking action? New cybersecurity legislation and regulations will challenge HTM professionals in industry, healthcare systems, and independent service organizations. Are you ready?
“There’s been a real urgency in DC around how to respond,” said AAMI eXchange 2023 keynote speaker Scott Trevino, senior vice president of cybersecurity at TRIMEDX. “You can tell it’s late, in fact, right? By the time you make the legislation, the problem already exists. There’s a significant issue for cybersecurity within healthcare. As a result, there’s been a huge legislative focus.”
Four major pieces of legislation have been enacted in just two years:
- State and Local Government Cybersecurity Act of 2021
- Cyber Incident Reporting for Critical Infrastructure Act (2022)
- Strengthening America Cybersecurity Act of 2022
- Consolidated Appropriations Act (Omnibus Bill) (2023)
“The majority of the legislation is foundational blocking and tackling,” Trevino said. “It’s empowering government to work with the private sector. It’s enabling government to work with federal, state, and local governments, work across agencies. But most recently with the Consolidated Appropriations Act— the Omnibus Bill—there’s some very specific requirements around medical device cybersecurity.”
The White House also has issued a number of Executive Orders on cybersecurity focused on national security, most of which are not specific to healthcare. “There’s also a proliferation of playbooks, standards, best practices, and guidance, which are all fantastic,” Trevino said.
The $1.7 trillion appropriation in the Consolidated Appropriations Act allocated $2.9 billion for cybersecurity, with these provisions to ensure cybersecurity of medical devices:
- Empowers the Food and Drug Administration (FDA) to ensure that devices are designed and maintained with security and define what a cyber device is (and is not).
- Specifies new requirements for premarket submissions to market devices, including a software bill of materials (SBOM) and plans to address vulnerabilities, and for postmarket requirements, including coordinated disclosure of vulnerabilities and ensuring that devices are secure with software and firmware updates and patches.
- Tasks the FDA to provide new cybersecurity resources within 180 days, then at least annually.
- Tasks the Government Accountability Office (GAO) to publish a report on cyber challenges, including legacy devices, within one year.
- Tasks the GAO and the Cybersecurity Infrastructure & Security Agency (CISA) to update premarket cyber guidance within two years and to solicit feedback.
“The requirements, I think, are fantastic,” Trevino said. “The SBOM vulnerability disclosure requirement is very good. The biggest challenge here is this is only for premarket submissions today. And based on my past, I’ve done analysis to look at what it would take to flip the installed base in market with new product introductions. Not even those that require approval from the FDA, just adding new product in market. We’re talking 20 years. So, this is a great start, but we can’t sit and wait.”
Putting the Legislation and Regulations into Context
Trevino set the stage for this extraordinary activity by highlighting a confluence of macro trends in healthcare that are already creating “a great deal of complexity and challenges.”
- Patient experience—delayed treatment, increased wait time, cancelled procedures, safety issues and concerns.
- Hospital finances—increased labor costs, lost revenue, increased operational expenses, reduced margins, inflation, and talent shortage.
- Safety and risk—increased risks to patient safety, regulatory compliance, device recalls, availability, and security.
- Clinician satisfaction—increased workloads, more administrative tasks, more time looking for equipment, and more frustration and stress.
- Technician satisfaction—increased workloads, more administrative tasks, longer repair times, shifting landscape, more frustration and stress.
Trevino shared a few eye-opening statistics that exemplify these challenges. For example, staffing shortages are the #1 concern for healthcare executives and patient safety professionals; drug and labor costs have increased by almost 25% in the last year alone; and 33% of hospitals are operating on negative margins.
And then there’s the cyberthreat landscape for healthcare systems, with a 211% increase in ransomware attacks in the last five years and an 86% increase in cyberattacks from 2021 to 2022. Premiums for hospital cybersecurity insurance have risen by more than 100% over the past year—if insurers are even willing to provide it.
What the HTM Community Can Do
How the FDA will apply its new authorities is an open question. In the meantime, cybersecurity is a “shared responsibility across all the constituencies” of the medical device industry, Trevino said. What can key stakeholders do? He offered these recommendations:
- Original equipment manufacturers (OEMs), if they’re not doing so already, should be executing robust design control, identifying risk, putting a strong software development lifecycle (SDLC) process in place, and employing “secure by design” and other principles to ensure cybersecurity. “That will be a significant change, challenging and costly both from investment and timeline standpoints, but it’s the right thing to do,” Trevino said. They also should be preparing for the impact of the changes to premarket submissions and postmarket monitoring, which could be significant.
- Healthcare systems can build a cybersecurity ecosystem that integrates people, technology, and processes. They can build cybersecurity and HTM expertise and integrate IT, HTM, and information security talent so that, together, they can protect against, detect, identify, respond, and recover from a cybersecurity breach, which is the National Institute of Standards and Technology (NIST) cybersecurity framework. They can drive efficiencies with security platforms, process automation, and information systems that provide analysis and insights for action. And they can establish processes that enable multidisciplinary teams to collaborate and improve cybersecurity postures.
- HTM professionals and their colleagues can conduct a robust inventory of their medical equipment, identify and prioritize vulnerabilities and risks, and work together to mitigate risks. Trevino also advised them to stay informed and engaged in cybersecurity issues in their organizations and to participate in the development and refinement of guidance and standards.