Supply chain, Endpoint/Device Security

Healthcare is littered with failed attempts by big tech to break in. Here’s why.

A large hospital can leverage thousands of connected medical devices, but locating and securing those vulnerable endpoints is an ongoing challenge for all providers. (Photo by Hristo Rusev/Getty Images)

First, credit where credit is due: Healthcare and technology have made incredible strides in patient care over the last two decades, shifting care from within the four walls of a hospital to remote-care settings. Medical records can even be accessed from a smartphone.

But not all tech vendors that enter the healthcare environment do so successfully. Many vendors, including some of the the most dominant players in the tech space, have a revolving door of healthcare leaders. Others hop in, then hop out again when the juice doesn't quite prove worth the squeeze.

There are exceptions: Those that forge ahead, establishing stronger partnerships with health systems to bring innovative solutions to longstanding medical challenges. And it's those fringe cases that prove the great opportunity for innovation within healthcare for vendors willing to commit, said Dan Dodson, CEO of Fortified Health Security, to truly ascertain the challenges and engineer solutions that above all else realize the "uniquenesses of healthcare.”

Vendors able to do that can “solve real problems in healthcare, can be very successful, and help move the market forward,” said Dodson.

Building on healthcare’s 'uniqueness'

Here's what doesn't usually work: A vendor identifies an inefficiency that it decides to fix for the healthcare sector, then goes off into the lab so IT developers can decide what is the most effective approach. Too often the end result fails to consider the nuances that drive healthcare decision making.

“It can be kind of a culture shock almost because a lot of times the primary motivators are much different in healthcare than they are in other verticals, specifically around patient care and things of that nature,” said Ben Denkers, chief innovation officer for CynergisTek. “It’s unlike anything else."

For example, reliance on legacy tech is more prevalent in healthcare than in any other industry because, unlike other sectors, a firewall can’t be placed around every single piece of vulnerable tech. When it comes to remedying those vulnerable elements, a vendor must also understand how to handle something that breaks, all while protecting the patient population.

Many provider organizations “rely on legacy infrastructure that's been under-invested in, including 15- to 20-year-old medical devices operating on the network, combined with limited staff," explained Dodson.

Combine that complexity of legacy technology with the requirements of confidentiality, integrity, and availability associated with healthcare data, which “is everything,” Dodson stressed. Vendors must ensure systems are up 24/7, but they also must work within the challenges associated with some version of legacy technology on the network.

“In order for me to be successful as a vendor in healthcare, I have to understand those dynamics in the way that I build my technology, but also the way that I support my technology on a go-forward basis because they don't have large teams,” said Dodson. “Unless you're in the top 100 health systems in the U.S., you have to be able to operate in that environment.”

Indeed, vendors must be able to assess the operational impact of its technology and potential implications of failures, Denkers added. Because in healthcare, those failures can have long lasting effects that could potentially lead to patient harm or how the organization itself handles patient care.

This is “a perfect example of where non-healthcare entities or vendors may not do very well," he said, particularly if the vendor does not appoint expert leadership within.

Medical devices: a case study for vendor-provider partnerships

The disconnect between products designed for healthcare by a vendor and the need for provider feedback can be seen clearly with medical devices. The security challenges have been long discussed, rooted in one prime flaw: the devices weren’t designed with security in mind.

While the culture is changing, Denkers noted that often there was “no skin in the game for the vendor” and those device flaws, patch challenges, and related issues all fell to the provider organizations.

In fact, until recently, many device manufacturers weren’t investing in security. Instead, they relied upon someone else to assume the risk. Software and widgets weren’t strongly tested, nor were research or development dollars spent on these elements.

“All they were designed to do was make sure that they could keep a patient safe. That is it,” said Denkers. Now the onus falls to the manufacturer, with the Food and Drug Administration working hard to advance its cybersecurity requirements and frameworks for manufacturers. Many vendors have taken these shifts in stride, making swift disclosures to protect organizations. But some are resisting, noting that it’s not within their wheelhouse and that the device was designed to be “clinically safe.”

Denkers believes the culture is changing and things are getting better. Once a business associate agreement is signed, manufactures are working to invest in security before building the software or widgets, often with support from security vendors. FDA manufacturer requirements will help.

But as it stands, “the risk acceptance is on the provider and not on the not on the vendor,” Denkers said, adding that a “shared responsibility approach” is the only means of effectively establishing those trusted relationships between the healthcare entity and the vendor.

Healthcare cybsecurity requirements defined

In fairness, even as product vendors historically offloaded risk to the provider, the providers themselves assumed otherwise – focusing on operational impact and patient care and leaving cybersecurity considerations to third-party vendors to address, said Denkers. “So if you're going to invest, and you're going to bring a product to market to bear, please take the time to implement what you need from a security perspective upfront.”

Given the disconnect that often exists between vendor and provider, a strong business associate agreement and contract are crucial to effectively support healthcare entities and ensure compliance with all aspects of the Health Insurance Portability and Accountability Act. Contracts should include how data must be stored and accessed, as well as the frequency of changes and reviews to business continuity and disaster recovery plans. Without it, Denkers noted the “organization itself has no teeth with the vendor.”

By adding specifics to the contract, “there's a much larger level of trust upfront that would be appealing to anybody,” said Denkers. That enables a shift from "assume and trust" to validation, ensuring the vendor is doing everything they’ve attested to do before a breach occurs. Some of the fallout currently facing customers of Eye Care Leaders, more than a year after a ransomware attack, arguably could have been avoided with a more detailed and properly managed business contract.

“It's the difference between wanting to do the right thing and doing something because someone told you to do it,” Dr. Dan Golder, principal for Impact Advisors recently told SC Media. “Good organizations have kept up regardless of what the rules say.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.