A few weeks ago I was out on a bike ride with some friends and had a malfunction with my bike going downhill at 35 mph. I went over my handlebars and hit the pavement hard — I remember feeling my head hit the ground. Miraculously, I walked away from this accident with a minor concussion and some bumps and bruises. My helmet was cracked in half, but it saved my head. Of all the injuries I could sustain on a bike — broken arm, clavicle, wrist, road rash — injury to my brain is one that is difficult to recover from. I’d argue, of my physical body, it is my most important asset.
Six months before my crash, I was in a bike shop buying this helmet. The sales guy presented me with a few options: there was a $300 helmet and a $60 helmet. I asked him to help me understand the difference between the two. His response was classic, he said “If you have a $300 head, get a $300 helmet. If you have a $60 head, get a $60 helmet.”
I got the $300 helmet.
The difference between the helmets is the $300 helmet has pieces of carbon fiber woven throughout the foam that provide extra protection to the head. While the foam part of my helmet was destroyed, those strands of carbon fiber were intact and absorbed the majority of the blow — they literally saved my head.
The incident happened so quickly, I didn’t have time on my way down to stop by the shop and upgrade my helmet, I had to plan ahead to protect what was most important to me. Cyber events are similar to my crash: they are impossible to predict, hit fast and can spread rapidly. If you look at the WannaCry ransomware attack, the rate at which it spread and the resulting damage was massive. Within a few days, the attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. It compromised critical systems within hospitals that were critical to delivering care. Patients were turned away from healthcare organizations because the critical assets were down.
In the last month, I hosted a two-part webinar with Seth Carmody from the FDA discussing the pre-market guidance for handling cybersecurity with medical devices. Though not regulation, the document lays out a handful of prescriptive guidance for medical device manufacturers to follow when designing medical devices. This guidance can be seen as a version of a $300 helmet. The guidance encourages manufacturers to take responsible actions to protect their assets. To protect the devices, the guidance language encourages manufacturers to do the following:
- Limit access to trusted users and devices
- Authenticate and check authorization of safety critical commands
- Ensure trusted content by maintaining code, data, and execution integrity
These practices aren’t rocket science, and many industries have figured them out and are doing a good job executing. They are implementing security best practices like multi-factor user authentication, mutual authentication of all systems, code signing, encryption and leveraging secure boot. They are using scalable technologies like certificate-based security through PKI. These practices work and lead to better outcomes when an organization is hit with a cyberattack.
The FDA guidance also encourages manufacturers to have the ability to detect, respond to and recover from cyberattacks. To have these capabilities, manufacturers need to have intrusion detection, patching capability, user alerts, scanning capabilities, encryption and authentication, code signing, and backups of their systems. Working through these items and acting responsibly before releasing a product is equivalent to purchasing a $300 helmet and will, again, result in better outcomes when your organization is hit.
So the question to organizations is, what are your most important assets? What would cripple your business if those assets were compromised? In conversations I’ve had with executives, the most common responses to the first question are brand, reputation, intellectual property, customers, data and people. In today’s connected world, these assets are becoming more and more exposed to cyberattacks. Companies like St. Jude Medical, Hospira and many others have felt the harsh results of having a public exploit. Following the public exploit of their cardiac device, the St. Jude Medical stock dropped approximately 20%, and the damage to their reputation led to their ultimate sell to Abbott Laboratories.
Healthcare is moving in the right direction. Security teams are coming together within most organizations, but many of them still don’t have the needed resources to put the adequate protections in place. When a cyberattack happens, and it will, there will be no warning. Organizations who have not acted responsibly in the development of their products and adhered to the guidance the FDA has given will experience much greater damages. I’m confident in retrospect, many of them will wish they had purchased the $300 helmet.