What with so many apps, connected medical devices and messaging systems the world of healthcare is going more mobile — no longer is every system under the umbrella of a hospital IT specialist. But that pivot toward digital health brings up questions for innovators and IT specialists about how to track and monitor security when building and implementing new products.
That’s where a security dashboard for startups could come in handy. But what, exactly, should you track? What are the priorities to monitor? How do you know such a dashboard is comprehensive enough? And who should design, build and, ultimately, own the dashboard?
We interviewed infosec experts to find out. Here’s what they had to say.
Base your dashboard on risk
When it comes to a cybersecurity dashboard for digital health tools, each will look different depending on the risks and what needs to be measured.
“The first two things that should be considered are the risks of the intended environment and what is the environment that this is going to be used in,” Julie Connolly, principal cybersecurity engineer at MITRE, told MobiHealthNews. “I’ve seen apps for an EKG on an iPhone, or on [the other side] you will have a PET scanner emitting radiation. There are different risk profiles there, and you will be more concerned and want to be more precise in your development and have more control in your development [based on the scenario].”
While each tool should have its own set of priorities, some of these questions about what needs to be measured and which devices need what measurements have already been investigated by the FDA. For example, the agency offers an interactive tool for innovators to see which cybersecurity guidances they need to follow, which organizations can reference when looking to put together their own dashboard.
“A company that is taking an exhaustive approach to the security of their product will be doing a long list of things, from procedural things relating to how to alert your patients and your users to the cyber security of your device to how you handle complaints to device functionality to really all the processes that a vender should have in place,” Mike Kijewski, CEO of medical device security startup Medcrypt, told MobiHealthNews. “These are spelled out in the post-market cybersecurity document which is a really good guidance document even from companies that are not making products that are even healthcare.”
Connelly noted that some connected health tools might not need as stringent a metric on a dashboard as others — for example, the stakes are high when you are monitoring a connected device that could impact treatment but relatively low when you are counting your steps on a Fitbit. Therefore, the dashboard would be different for these two products.
While the FDA and HIPAA spell out certain regulations that have to be monitored, it's also important to track different metrics that will impact your clients health and safety beyond just regulations.
“Something we have spent a lot of time thinking about, that isn’t as commonly discussed as the HIPAA compliance issues, is the patient safety ramifications of the cybersecurity internet, either of a medical device or a mobile app that is using data,” Kijewiski said. “Imagine a mobile application that gathers patient heart rate values and stores those heart rates over time to be sent to a clinician, so the clinicians can come to a conclusion based on the heart rate data. It might not be the end of the world if someone can read your heart rate values, but one of the concerns is what if someone modifies those values so that it looks like a patient's heart rate values were doing something that they weren’t. The clinician can make the wrong judgement call based on the data, so we spend a lot of time thinking about the providence of the data.”
Ownership: Not IT alone
Surprisingly, many of the sources agreed that it’s important not to rely on hospital IT teams to come up with the dashboard completely on their own. As connected care tools are more often leaving the hospital, the capacity to plug security risks is increasingly shifting from in-house IT departments and onto the vendor.
“Five years ago, a lot of medical device vendors would say that you don’t need to worry about the medical device itself because we can just ensure the hospital network is secure,” Kijewski said. “That’s not a good approach for a couple of reasons. Now you have insulin pumps [and] vital sign monitors that are going home with patients that aren’t on a hospital network. [You] can’t rely on the security of a hospital network. We feel strongly that the devices themselves need to be secure.”
But while the security of the systems might be shifting toward vendor responsibility, it's still important to remember the dashboard's end user.
“The developers play a role in producing dashboards but ultimately the consumers of information on that dashboard need to decide what it is they want to look at and what it is they want do to do with that information,” Michael Mangan, who was previously the director of technical support at Sophos and former production engineer at Interad Medical Systems, told MobiHealthNews. “[The system] needs to very quickly be able to interpret what is there and typically you would make that into a dashboard and make it clear to the people looking at it what it is trying to say. And they you have to consider how that information is going to be acted on or what other information needs to be used if you are going to make a decision based on what is on that dashboard.”
While some of the security pitfalls might be out of the developers control, it is important to have a strategy and protocol put in place for when things do go astray.
Connolly has worked with the FDA for the past four years on improving security for medical devices, including everything from hospital medical devices to connected mobile applications, and stressed the need for incorporating such preparations into an organization's security arsenal.
“Hospitals are well positioned to do something like hurricane preparedness but don’t always consider cybersecurity, especially launched by a cybersecurity adversary,” said Connolly.
To this end, the FDA recently came out with a playbook for companies to follow when systems gets hacked and to avoid hacking. The playbook will be available for developers when looking to create their own cyber security tools.
Focus on Cybersecurity
In October, we take a deep dive into security strategy and pressing threats.