Cybersecurity attacks in the healthcare sector have risen sharply over the past five years. A recent report showed a 44% increase in attacks just since 2021, with more than 600 reported attacks and over 50 million patient records compromised in the U.S. alone. Cybersecurity risks targeting healthcare organizations jeopardize patient privacy and brand reputation. They’re costing healthcare organizations billions every year from a business perspective. And they’re increasingly putting patient safety at risk.
Medical devices represent a unique cybersecurity challenge within healthcare ecosystems. Here’s what every healthcare organization should be thinking about when it comes to medical device cybersecurity — and what you need to know about how Accuray is approaching cybersecurity for our radiotherapy delivery systems and treatment planning solutions.
Rising threats and new regulations make cybersecurity a healthcare priority
The truth is that the healthcare sector has traditionally lagged behind from a cybersecurity standpoint, making healthcare organizations an easy target. For example, a report from HHS shows more than 60% of all ransomware attacks in 2021 targeted the healthcare industry.
Beyond these broad statistics, high-profile healthcare breaches have dominated headlines. Incidents exposing private patient information have embarrassed hospitals. Analysts estimate that cybersecurity attacks are costing the healthcare sector more than $20 billion annually.
Evolving data privacy regulations are also making cybersecurity a top priority for healthcare organizations, as well as the vendors and medical device manufacturers (MDMs) they partner with. Beyond HIPAA, hospitals became categorized as critical infrastructure as of 2015. Healthcare organizations are now required to report all cybersecurity attacks to HHS for investigation -Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). New amendment to the Health Information Technology for Economic and Clinical Health (“HITECH”) also includes new requirements that healthcare organizations implement and demonstrate compliance with cybersecurity best practices.
Why medical devices present unique cybersecurity risks
A large portion of cyberattacks on healthcare organizations center on the internet of things (IoT) ecosystem — targeting medical devices that are increasingly interconnected to systems and networks within the healthcare organization. One study found that 8 out of 10 healthcare organizations experienced an IoT-focused cyberattack in the past year. Even more alarming, the same study found that 30% of these medical device attacks led to potential patient safety risks.
Most healthcare organizations have growing teams dedicated to cybersecurity. Security teams are equipped with Security Operations Center (SOC) or Incident Response (IR) team that focus on detecting, mitigating, and responding to hacking, ransomware, malware, and other cyber threats while security team and/or risk management team manage the broader security posture of IT infrastructure and systems within the healthcare organization.
But medical devices represent a sort of “black box” for these teams: The healthcare organizations have no control over what’s inside the devices. They often don’t even have full visibility or transparency into how these devices are built and where the risk points might be. And they certainly cannot make changes to the devices to address cybersecurity risks without creating enormous patient safety liabilities.
The FDA is pushing for MDMs to be fully transparent and adopt a shared responsibility model for cybersecurity. But ultimately, the biggest costs and risks fall on the healthcare organizations. And in some cases, there are aspects that are even beyond the control of the MDM. For example, most MDMs do not build all components of a medical device in-house. Increasingly complex devices are comprised of components from multiple suppliers and their sub-suppliers — and the MDM has limited visibility and control over the technologies, support life, and update/patchings of those components.
Moreover, medical device software or firmware update process is more complex than that of IT technology or other devices due to regulations. MDMs can’t simply follow the typical IT dev/ops model, pushing continuous security patches and updates in real-time. Those updates would require the MDM to go through either thorough testing procedures (Validation and Verification process) or even the entire FDA approval process all over again.
How healthcare delivery organizations can evaluate medical device cybersecurity risk
The good thing is that we’re seeing healthcare organizations taking cybersecurity very seriously. Cybersecurity is now a top concern for buying committees within healthcare organizations. Chief information security officers (CISOs) and IT leaders increasingly play a pivotal role in those buying committees, and healthcare organizations recognize that they need to not only ensure a medical device is clinically proven, but also extremely secure to protect patient safety.
Healthcare organizations need to evaluate not just the device itself, but the MDM organization behind that device:
- How secure is the MDM as an organization? Healthcare organizations should evaluate all processes, procedures and the overall security posture of the MDM.
- How are they protecting their data? As cloud technologies are introduced into healthcare industries, patient data is increasingly stored on the MDM side — especially with the rise of cloud-powered technologies. Healthcare organizations need to understand how the MDM is securing these internal systems and databases to protect patient data and other sensitive information.
- How are they building cybersecurity into design processes? Are they building cybersecurity into their devices from the ground up — or is cybersecurity a retroactive patch?
- How are they evaluating their suppliers? Once again, most MDMs rely on a network of suppliers for critical technical components. An MDM and its device is only as good as their weakest link.
How Accuray is approaching cybersecurity
At Accuray, we view cybersecurity as essential to patient safety and absolutely fundamental to our mission to improve as many lives as possible. We take a multi-modal approach to cybersecurity that includes people, processes and technology. Here are a few highlights of the approach Accuray takes to maintaining cybersecurity:
- Cross-functional cybersecurity team: The Accuray cybersecurity team includes leaders from every function within the company — from IT and security, to medical engineering, software development, supply chain and more. This team is constantly reevaluating our products, systems and processes to identify issues and risks in order to remediate and improve our cybersecurity posture.
- Chief information security officer role: Our CISO blends an external and internal view of cybersecurity: monitoring evolving threats and changing regulatory requirements in the broader healthcare landscape — and ensuring that those risks and requirements translate directly into our product design and architecture.
- Cybersecurity standards: Accuray adheres to the highest industry standards around cybersecurity, including NISO, ISO 27001, JSP and more. These are proven standards that give our customers peace of mind. Our adherence to these common standards will also provide a baseline for communication, making it easy for our customers to see that we meet their own requirements and standards. Accuray is incorporating the cross functional requirements and processes into our Global Quality Management System. This will ensure the processes are defined and requirements are met.
Accuray cybersecurity principles
Cybersecurity is a constantly moving target. That’s why our structured cybersecurity program is built upon seven core principles that guide us and allow us to remain agile in addressing emerging risks and concerns. We strive to:
- Security by design: Develop Products using a Security by Design philosophy throughout each phase of product development in accordance with the Accuray security development lifecycle process to help ensure confidentiality, integrity, and availability.
- State-of-the-art security: Update security controls, features and procedures in harmony with new security technologies that reasonably protect Accuray products from current and future threats to confidentiality, integrity, and availability.
- Defense in depth: Design Accuray products with multiple layered security controls through access control, application security, network security, system security and detection, to reduce attack surface, minimize incident impact, and respond to events.
- Risk-based approach to cybersecurity: Consistent with industry practices, rely on a risk-based cybersecurity approach to identify, prioritize and allocate resources to achieve measurable cybersecurity risk reduction.
- Cyber Resilience: Continuously enhance organization’s cyber resilience to address rapidly changing cyber landscape with agility.
- Lifecycle Management: Monitor post-market vulnerabilities and provide security patches and updates in a timely manner.
- Compliance: Harmonize industry best practices and standards, and maintain compliance with global laws and regulations.