Additionally, security is hard and requires dedicated resources and deep specialization. Despite spending $10-20 billion on cybersecurity , healthcare lacks sufficient resources to get it right. Especially considering that in some cases it’s healthcare versus nation-states. Should it be private companies’ responsibility to defend against nation-state attacks just because they’re cybersecurity-related? Would private industries be responsible for defending against a kinetic nation-state attack? Of course not, so why is cybersecurity different? Why do we shame and fine hospitals for security practices? Even well incentivized and financed industries with deep specialization, struggle. Look no further than finance and defense. Even the NSA has had its own struggles with security . If security isn’t kind to the security industry, why should we put the burden on healthcare? What will it take for us to understand the magnitude of the challenges before healthcare and take the necessary steps to address the issue? So we put businesses in a situation where they have to make choices about devoting resources to their primary business or spending enormous resources on being proactive for security in a technical deep discipline; the data show that we get worse security and worse healthcare.
What have we observed?
Technologies built to serve healthcare are built primarily to deliver on healthcare features, not security features including monitoring that would help connect security events with patient outcomes. Since devices typically aren’t equipped to monitor and detect security issues, only indirect means are utilized. In an attempt to find a quantitative way of measuring cybersecurity progress, we turn to the regulatory body. The FDA’s Postmarket Cybersecurity Guidance (December 2016), encouraged device vendors to participate in cyber risk information sharing through a variety of ways, such as through FDA safety communications, ICS-CERT, or information sharing entities that share medical device vulnerability information such as the H-ISAC and Medical Device Information Sharing Analysis Organizations (ISAOs).
Two of the presumed benefits of information sharing are that 1) industry stakeholders have the information necessary to minimize their cybersecurity risk and 2) other medical device vendors can use this information to prevent their products from having the same or similar vulnerabilities.
An analysis of the ICS CERT database reveals that device vendors reported a more than five-fold increase in disclosed vulnerabilities since the release of the FDA premarket guidance was released. A hypothesis presents itself here - has there been an increase in the number of vulnerabilities in devices? Or has the assistance of FDA guidance encouraging information sharing helped the industry move up the cybersecurity maturity curve?