Steps to Protect Medical DevicesBalancing Security and Patient Safety Concerns
The healthcare industry must delicately balance the need to keep medical devices secure with the need to protect patient safety, says Michael McNeil, global security privacy leader at Medtronic, a device manufacturer.
"You can always overcompensate and have that extra layer of security, but you need to balance it to the efficacy [of the devices] and safety of the patients," McNeil says in an interview with Information Security Media Group [transcript below].
Some key challenges that Medtronic and other device makers face, McNeil says, are ensuring patient safety, including protecting devices from threats that have been demonstrated by ethical hackers; protecting the integrity of patient and customer data; meeting patient privacy and security needs while also complying with regulations; and protecting intellectual property.
In the interview, McNeil also discusses:
- Why Medtronic has consolidated privacy and security functions under one governance structure;
- Steps that healthcare organizations should take to protect medical devices used in their environments from cybersecurity threats;
- The Food and Drug Administration's guidance for mobile health applications, and the cybersecurity threats facing vendors of those products;
- How Medtronic is complying with the HIPAA Omnibus Rule.
As global chief privacy and security officer at Medtronic, McNeil also leads the data protection program for the medical device maker. Before joining Medtronic, he was chief IT security officer at Liberty Mutual Group; global chief privacy officer at Pitney Bowes, and vice president and chief privacy officer of data services for Reynolds & Reynolds. McNeil also is chair of the Medical Device Privacy Consortium's Device Security Working Group.
Top Privacy, Security Threats
MARIANNE KOLBASUK MCGEE: What do you think are the top privacy and cybersecurity threats facing medical devices and why?
MICHAEL MCNEIL: I look at the top threats in two fashions. Number one is making sure that ... we understand that there's a balance between device security and potential threats that would [exist] with the safety [of the devices]. Organizations like Medtronic clearly engage and look at those efforts in a very strong manner, and, by doing so, reach out to external as well as other independent sources, [managing] that balance between patient safety and overall security.
When we talk about what are those top privacy and security threats, I think they can be discussed in how we protect and ensure that there's patient safety, and this is due to the potential threats and potential demonstrated attacks that the industry has experienced and seen by ethical hackers.
Secondly, we want to make sure that we protect and ensure the integrity of our patients' and customers' data. ... Our ability to demonstrate our economic value and the solutions we offer from Medtronic's perspective - we need to make sure that we keep and maintain the integrity of that information, [which] is essential.
Third, we need to make sure we're meeting customers' security and privacy needs. We work within a healthcare environment and a delivery organization, and there are a number of stringent privacy and data protection laws related to securing data and the transfer of that data across a number of geographic borders. That's paramount in the activities that we do.
Finally, [there's] protecting intellectual property. The medical device industry has clearly been ... targeted by a number of nation-state attacks where they've tried to gain access to our networks and ultimately our intellectual property. As organizations like Medtronic continue to expand and develop in emerging markets, it's going to be more and more critical for us to ensure the security of our most critical assets, like IP.
Addressing Theft, Hacker Scenarios
MCGEE: What are you doing at Medtronic to address some of those issues related to IP being stolen or hacked into?
MCNEIL: One of the key steps that we're doing is looking at reducing our overall security risk because we do see an increased use of wireless cloud technologies. [We must] make sure that there's a holistic approach. At Medtronic, we have consolidated our efforts around privacy, device IT and physical security into one organization and governance structure. We [take] a holistic approach toward our patients, our people and the privacy of our information. We also ensure that security is built into our new products and the development processes of the devices and solutions that we offer. We also conduct external testing, in addition to some of the internal testing that we do around vulnerabilities and remediation. ...
We also work heavily across industry and the regulatory landscape, and collaborate around standards, best practices and ongoing monitoring, being pretty vigilant within the space itself. We also try to provide an ability to make sure that if something does go wrong, we can respond rapidly, and we conduct contingency planning and incident response management so that we can be more effective and in tune with our environment.
Responding to Ethical Hackers
MCGEE: You also referenced that ethical hackers have demonstrated how they can program medical devices from afar. The late ethical hacker, Barnaby Jack, demonstrated that he could remotely program one of Medtronic's insulin pumps to deliver a potentially dangerous dose of insulin. Since then, what sort of changes has Medtronic implemented? And what are the biggest lessons that Medtronic and other medical device makers can learn from these sorts of ethical hacker demonstrations?
MCNEIL: One of the first comments that I would make is that, working together with [people] like Barnaby Jack and Jay Radcliffe, who was actually a patient of Medtronic, our collaboration in working with those individuals and others that present information is critical within the entire process. I would also just reiterate that it's not something that's specific to Medtronic and it's more relevant to the industry as a whole. As an industry, we need to continue to collaborate, build into our development processes and work with the regulatory organizations to ensure that we're providing the most safe and efficient solutions for our patients and customers. We need to work with industry in developing those best practices and be able to provide the appropriate response from any type of incident management solution. Those are some of the key elements.
Specifically, as we look at our products and solutions, making sure that we're doing the external, as well as internal, testing and remediation ... is also a critical factor that we've incorporated into our overall program here at Medtronic.
Steps to Protect Medical Devices
MCGEE: What steps should healthcare organizations take to better protect medical devices that are used in their environments from cybersecurity and privacy threats? For instance, should healthcare organizations apply software patches and anti-malware software to medical devices?
MCNEIL: As we work more closely as an industry and collaborate with the regulatory organizations and external industries, you'll find more organizations begin to refine their development processes and they will incorporate ... more security practices. Some of those security practices that you have just eluded to - like doing patching and anti-malware software within their solutions - will be some of the next key steps; but it will be where appropriate and where it makes sense.
As an industry and as an organization, you want to make sure that you're balancing the safety and ethicacy of the devices and the treatment of care for patients, and that you're not being over-onerous around making sure that we're providing the lifesaving solutions that would be available for patients. You can always overcompensate and have that extra layer of security, but you need to balance it to the efficacy and safety of the patients.
Addressing Medical App Security
MCGEE: The FDA recently issued a guidance related to mobile health applications. In that guidance, the FDA says that it intends to focus oversight on a subset of mobile apps. That subset includes mobile apps that are used as an accessory to a regulated medical device or mobile apps that transform a mobile platform into a regulated medical device. With that said, what sorts of cybersecurity issues do you think need to be addressed by vendors of those mobile apps?
MCNEIL: The FDA is currently faced with heightened threats of cybersecurity to patients, potentially to their safety and to the protection of the data and information. Working together with industry and through our processes, they're facing similar impacts and requirements. I think as we talk about that convergence of the traditional IT security efforts and merging those activities into organizations, product development and design processes, it moves us in a very positive way and in that direction.
With strong movement to mobility, the need for access to data and information will forge the practices and requirements. Medtronic, with our structure - how we're executing and working with the FDA, working with external industry, working with the ethical hackers in terms of the research in the marketplace - by coming together and leveraging what might be traditional IT security measures into our broader development and device solutions, that's the winning strategy and what needs to be taken moving forward. You'll see more and more organizations as an industry forge down that pathway.
MCGEE: Does the FDA's new mobile app guidance have a direct impact on Medtronic?
MCNEIL: We have to and will always maintain execution against appropriate standards and FDA requirements. The FDA has put out a draft advisory; they've looked for comments back. Medtronic specifically, by participating in some of the industry forums, has provided feedback through AdvaMed, through the Medical Device Privacy Consortium and through some of the other agencies where we participate so that we focus this from an industry perspective. I do think that if we have a common set of standards and requirements and we're all managing against those in best practices, the impacts to organizations like Medtronic and others in the industry will be fair and balanced, and it will follow appropriate trends and traditions of good security.
Complying with HIPAA Omnibus
MCGEE: On a different subject, many medical device vendors are considered business associates under HIPAA Omnibus. What changes has Medtronic implemented to comply with HIPAA Omnibus?
MCNEIL: In certain Medtronic businesses, we currently have been operating as a covered entity. The HIPAA Omnibus Rule extends some of the requirements of a covered entity to that business associate in terms of the relationships and the appropriate requirements that need to be in place. Since Medtronic had already been operating in some of our business operations under the stipulations of a covered entity, this is a matter of just extending our current practices and making sure that we're positioning our other businesses to make sure that they're representing correctly, and have extended those practices that we have, whether ... internally or through contractors and subcontractors that we do business with. For us, it's more of an extension and a way of continuing to manage our business model, and less of a disruption from our model and how we currently do business with our customers under HIPAA guidelines.