Medical device industry looks to take the lead on cybersecurity standards

A recent hack at a New York Marriott hotel serves as a wake-up call for hotel security teams.
Medical device manufacturers are looking to develop cybersecurity standards that would address common vulnerabilities.

There’s a growing movement among medical device manufacturers to develop industrywide cybersecurity standards that offer flexibility to innovate while providing basic protections against the emerging threats facing internet-enabled devices. 

Robert Ford, Abbott’s executive vice president of medical devices, advocated for that approach during an event hosted by the Bipartisan Policy Center. Outlining his company’s methods—which include a product team devoted entirely to cybersecurity—Ford pushed for industrywide standards that could fix common vulnerabilities and urged for better threat sharing among industry leaders.

That approach was echoed in a report released (PDF) by Abbott and the Chertoff Group, which outlined potential standards that would cover encryption and data storage, authentication, software updates and patch management.

Abbott may be particularly aware of medical device cybersecurity given the company’s recent run-in with the FDA after acquiring a vulnerable cardiac device manufactured by St. Jude’s Medical.

RELATED: Medical devices are the next big target for hackers

Michael Morell, senior counselor at Beacon Global Strategies and former acting and deputy director at the Central Intelligence Agency, said the industry may have no other choice but to take the lead on industry standards.

“If you’re waiting for the government to ride in on a white horse and solve this problem for you, you’re going to be waiting a very, very, very long time,” he said, adding that private industry is better suited to keep pace with evolving threats.

There has been a distinct shift in the way medical device manufacturers view cybersecurity, according to William V. Murray, president and CEO of the Medical Device Innovation Consortium. The growing sentiment among companies is that a vulnerability shouldn’t be viewed as a competitive advantage, especially since research shows those vulnerabilities are often industry-wide problems.

RELATED: Pennsylvania health system, U.S. drugmaker hit by global ransomware attack

On the healthcare side, providers are weighing the benefits of connected devices with potential threats to patient safety and privacy. That’s an important risk calculation given the tremendous opportunities connected devices offer for patient care. Leslie Saxon, M.D., chief of the division of cardiovascular medicine at the Keck School of Medicine at the University of Southern California, pointed to research at her organization that shows patients with a connected cardiac device that stream data to a secure network live four times longer than those that rely on routine visits.

Even relatively simple improvements can widen that risk-benefit gap, Morell said. While manufacturers may be able to minimize those risks, the potential consequences of a hacked device are still frightening.

If I was at CIA still and someone said to me the ISIS leader [Abu Bakr] al-Baghdadi had a pacemaker that was connected to the internet, I would ask my guys, ‘How can we use that to get him?’” Morell said. “I would ask that question.”