The December 2020 SolarWinds breach cast a spotlight on the importance of cybersecurity—a consequence, many experts say, that was vastly needed. One person who certainly agrees with this statement is Seth Carmody, former cybersecurity program manager in the Office of the Center Director, Emergency Preparedness/Operations and Medical Countermeasures, within the U.S. FDA’s Center for Devices and Radiological Health and current vice president of regulatory strategy at San Diego- based healthcare security provider MedCrypt.
Below, Carmody shares why the medical device sector needs to embrace the organizational philosophy of shifting left and how now is the time to prioritize cybersecurity.
24×7 Magazine: What does “shifting left” mean in cybersecurity?
Seth Carmody: The SolarWinds events shined a bright light on the gaps in our national cybersecurity strategy. We’ve seen the number of cybersecurity events skyrocket in 2020, making cybersecurity more urgent than ever before. To put it bluntly, we were not prepared to handle the cyberattacks that came along with the pandemic. It’s time to stop considering cybersecurity as an afterthought and start prioritizing it alongside technology innovation. The biggest challenge we’ve seen relates to the cost of cybersecurity.
Global spend on cybersecurity is approaching $100 billion, yet the losses we’ve seen from cybersecurity incidents is between $1 trillion-$2 trillion. There is a huge gap here that too many people are not yet aware of. The data shows that healthcare is spending $10-20 billion in security, and we’re still losing the battle. So, what are we to do? We need to shift left.
Shifting left is typically used to convey prioritizing cybersecurity sooner in a given product’s lifecycle, as ‘shifting left’ has positive economic impacts within a company’s four walls. In that same vein, we’ve observed that in certain industry sectors like healthcare, stakeholders are completely focused on delivering innovative healthcare features, not security features, which makes sense and will continue. However, paradoxically, healthcare has to deliver those innovative clinical features securely.
So, we’ve borrowed the organizational concept of shifting left to prioritize security—but we’ve applied it to the entire healthcare supply chain. It doesn’t make economic sense for organizations focused on healthcare to also focus on security, so the technology they purchase to build healthcare technology needs to be built securely. The idea is to shift the burden of security left in the supply chain, all the way up to the builders of technology.
For example, in medical devices, the idea would be for the tech sector to provide medical device manufacturers (MDMs) with secure components so that MDMs could deliver devices to hospitals that are fundamentally trustworthy and securable. It’s time to stop considering cybersecurity as an afterthought and start prioritizing it alongside technology innovation.
24×7: How will this theme impact healthcare in 2021?
Carmody: Hospitals have experienced an increase of ransomware attacks in 2020. The pandemic has also caused hospital budgets to shrink dramatically. If the medical device industry prioritizes cybersecurity by making sure all new devices are secured by design, this removes the costly cybersecurity burden hospitals have historically dealt with.
Broadly, SolarWinds has prompted thought leaders in the space to declare that what we’re currently doing is necessary but insufficient. We can’t just perform a risk assessment or establish perimeter defenses or expect customers to secure fundamentally insecurable technology and be resilient against SolarWinds or constant ransomware attacks. These practices will no longer suffice in our space.
24×7: What should various players in healthcare—device manufacturers, HDOs, etc.—prioritize now to join this movement?
Carmody: Healthcare delivery organizations can prioritize cybersecurity by asking their current and incoming medical device vendors if their devices are compliant with the FDA’s pre- and postmarket cybersecurity guidances. Vendors will then be more inclined to bake cybersecurity into their devices at the inception.
24×7: Do you expect to see support from the U.S. government around this initiative?
Carmody: Yes, but government support doesn’t happen spontaneously; industry leaders have to forge a new mentality in order to manifest a new reality in conjunction with governmental support and action. Cybersecurity is the second biggest priority for the FDA right now (after the pandemic).
Because healthcare markets are focused on healthcare, it’s very difficult to prioritize security from a market perspective. This is a perfect role for regulators, such as the FDA as well as congressional legislators, who can supplement market failures with regulations and law, particularly if they target, as recent ones do, the builders of that technology and not the consumers of that technology, like HIPAA does.
24×7: What are the core pushbacks you’ve seen and heard as to why companies aren’t prioritizing cybersecurity?
Carmody: Simply put, if you’re in the business of healthcare, that’s what your business is optimized for— not security. It’s quite a vexing business case to be made that investment in security is as important as your core business. Additionally, the cost of security can be high for a healthcare company, as getting adequate at security means a significant upfront investment in people, processes, and technologies to build fundamentally secure technology. It can be a very difficult initial and continued sell to decision-makers who are keyed in on the core business. The biggest challenge we’ve seen relates to the cost of cybersecurity.
24×7: What’s happening in the industry right now that may help convince healthcare providers to prioritize cybersecurity?
Carmody: In order to be successful and achieve a vision of a cyber-resilient healthcare system, we need to shift the burden of security to the left and upstream of hospitals, physicians, and patients. To do this, we need technology companies to build components that are secure by default and implementable across diverse therapeutic implementations, such that MDMs can focus on building innovative products.
The FDA and the MDM industry have the opportunity to discuss what support for technical expertise at speed and scale would look like in the upcoming MDUFA V negotiations. The FDA needs help from Congress as well to provide the authority and budget so that the FDA can be the arbiters of adequate medical device cybersecurity. It’s a model that works for the FDA as the arbiters of safety and effectiveness.
Excellent summary of the issues. And you can substitute the word “safety” for “security” throughout most of it.
I particularly applaud the emphasis on building in security (or safety, or dependability) assurance at the front end of the product lifecycle.
Part of the problem relates to the accelerating rate of change of technology. As in every industry, healthcare provider organizations have come to expect feature upgrades at increasingly short intervals. Designing in assurance at the front end of and throughout the product development cycle instead of tacking it on towards the end slows the process, and a manufacturer who does is at a real market disadvantage compared to manufacturers that do not.
The ideal fix would be for healthcare providers to require verifiable security assurance of its technology providers, but I would advise against holding your breath waiting for that to happen. The recommendation to build security assurance requirements into regulations is not optimal but may be the only realistic option.