Cybersecurity for Medical Devices: Is Regulation Really Necessary?

Regulation has been a hot topic recently, as cracks emerge in the global banking system. Some argue that governments should play an active role in preventing crises supposedly brought about by the recklessness of private entities. Others say that self-regulation is better for the private sector and government intervention will only foster dependence on bailouts and compulsory action.

When it comes to cybersecurity, it appears the government is also pushing toward tighter regulation as experts raise alarms over healthcare cyber threats. Interestingly, there seems to be no pushback from cybersecurity firms. The resistance is mostly from device manufacturers.

Does this mean that security providers agree with the necessity of regulation? What is the implication of this apparent submission? Is there anything special about medical devices that legislators are rushing to impose regulations on their cybersecurity?

The nature of medical device regulation

In mid-March, US senators convened to examine the cybersecurity risks of the healthcare industry. Senator Gary Peters, Chairman of the Homeland Security and Governmental Affairs Committee, expressed his concerns over the growing threat to American healthcare. “Cyber-attacks on hospitals, and other health care providers, can cause serious disruptions to their operations, and prevent them from effectively providing critical, lifesaving care to their patients,” Peters said.

This senate move is not the first to address the growing seriousness of cyber threats at present. There have been other regulations issued before, addressing other areas of concern. The prevailing thrusts of these laws and regulations are incident reporting, making device makers responsible for their products’ cybersecurity, and assistance to those affected.

The US government wants organizations to be transparent about the attacks they have encountered while requiring device makers to ensure that the connected devices they sell are inherently secure, not tools that assist cybercrime out of the box. Also, the government aims to help train federal offices and agencies in becoming equipped to address the threats and in recovering from an attack.

Why the cybersecurity industry is not bothered by regulation

It’s not that much of a stretch to say that government regulation can be an indirect competitor to cybersecurity providers. However, this does not appear to be the perspective of cybersecurity industry players. The push for cybersecurity for medical devices, in particular, is welcomed, even if it could mean that secure devices would reduce the need for cybersecurity solutions.

The reason for this non-resistance to regulation can be summed up as follows:

  • Cybersecurity firms are accustomed to cooperation and collaboration
  • Cybersecurity is too broad for regulation to completely take over.
  • Regulations and standards help create more demand for cybersecurity solutions
  • Cooperating with cybersecurity initiatives is reputationally advantageous.

Cybersecurity industry players have been working with each other to address emerging threats. They do not keep their security research confidential. Instead, they usually share everything with the global cybersecurity community, even if it means that cyber attack perpetrators are informed that their schemes have already been exposed (and they need to come up with new attacks). There is an unwritten acknowledgment that no single or few cybersecurity providers can effectively address rapidly evolving and increasingly aggressive threats. Defenders need to work with each other to keep up with the attacks and not get overwhelmed into irrelevance.

On the other hand, regulation is not really enough to significantly reduce the need for cybersecurity services. Even if a certain security demand is removed, cybersecurity firms are innovative enough to identify new security needs and provide the corresponding new solution. In IoT and medical device regulation, for example, the government requirement for manufacturers to make their products secure creates the demand (among device manufacturers) for a platform to automate IoT or medical device observability and security. Instead of relying on traditional security patching, medical device makers can use an IoT observability and security platform to automate compliance and ascertain product security.

Moreover, government regulations on cybersecurity create more demand than what is being eased out. Organizations usually lack cybersecurity expertise to easily comply with new regulations. They usually turn to third-party providers to help them meet security standards and regulatory requirements. With the government making cybersecurity standards compulsory, virtually everyone is convinced to allocate enough resources for cybersecurity tools and the implementation of secure practices and precautionary measures.

Lastly, cooperation is a badge of honor for those in the cybersecurity community. Being able to identify novel forms of attacks and providing the appropriate solution bodes well for security firms. It puts them in the news and associates their brand with effective security solutions. It boosts their reputation and helps attract customers. This is not to say that cybersecurity providers are discreetly chasing “clout,” but a nod to the fact that working with the government and others in the industry is not a burden.

The rationale for regulation

Cybersecurity regulation, especially in the context of the security of connected medical devices, is necessary because of the seriousness of the risks. It is not just about hospitals losing money to spyware or health clinics losing revenues because of disrupted operations. Lives can be directly affected by the attacks.

It does not make sense that there are strict laws prohibiting healthcare facilities from sharing patient records without explicit patient authorization, but such confidential information can be easily stolen by hackers. Poorly secured medical devices and IoT in the healthcare setting lead to incidents like the attack on Shields Health Care Group that resulted in the theft of more than two million patient records.

Also, the cybersecurity transparency promoted by regulation makes it easier to address attacks. Some healthcare facilities prefer not to divulge successful attacks on their systems because of the possible reputational damage and liability to data privacy rules. With government regulation forcibly revealing all attack details, the global cybersecurity industry can collectively analyze and resolve emerging threats.

Moreover, regulations help establish, solidify, and foster the adoption of new standards and best practices for cybersecurity. Everyone is compelled to keep abreast with the latest threats and security solutions instead of optionally taking up solutions organizations find convenient or easy to implement.

Is regulation really necessary? It would be inexpedient to answer this question in the negative. The benefits of regulation easily outweigh the encumbrances. Also, it makes little sense to resist regulation when the cybersecurity community in general is not even against it.

Nayomi Lam: