Cybersecurity Is a Shared Responsibility

Health care today is very much a team sport. What is fixed by the nephrologist can quickly be undermined by the cardiologist if they each fail to see the patient as a whole person, not just a collection of body systems.  Even the most sophisticated diagnostic test is useless if providers fail to share patient data and results to guide care.

It takes a team approach, each member focused on their area of expertise and sharing the responsibility to ensure good health outcomes.

The cybersecurity of today’s health care technology systems is no different.  Ensuring a healthy and safe system is not just the concern of any one entity. Rather, it is a shared goal that involves all stakeholders with each taking responsibility for their unique contribution while still working together.

U.S. medical device manufacturers take our role in this effort very seriously. We recognize that these lifesaving and powerful devices, like MRI and CT machines, do more than diagnose disease and help guide treatment. They also generate and hold sensitive data and patient information. Manufacturers strive to ensure devices are developed and supported in a way that enables their secure operation, but the reality is we cannot do it alone.

Real, practical solutions must reflect the health delivery organization setting and recognize that device manufacturers cannot control security within the operational environment.  Effective, long-term cybersecurity solutions will require health delivery organizations to work collaboratively with manufacturers to appropriately utilize security information provided by manufacturers, government agencies, and other industry bodies to properly assess, architect, and maintain effective cybersecurity hygiene.

Determining how best to secure devices and infrastructure against future attacks is an ongoing process, but one thing is clear: A secure health care environment needs to rely on standards for health care risk management as opposed to new regulations on medical devices. Cyberthreats are constantly evolving, and risk-mitigation tactics must be flexible enough to respond to the evolving threat landscape.

This is a complex problem with no simple solution. We are committed to working with stakeholders and doing our part to safeguard patients and their data from potential harm.

The Medical Imaging and Technology Alliance (MITA) is currently spearheading an initiative to develop a workable Software Bill of Materials with health delivery organizations like the Mayo Clinic and New York Presbyterian, as well as the Food and Drug Administration, the National Telecommunications and Information Administration, and the Health Sector Coordinating Council (HSCC). We also hope that our involvement with the HSCC Cyber Workgroup will help to advance the group’s Joint Strategic Plan, which lays out a roadmap for improvement for every part of the sector – health delivery organizations, manufacturers, payers and government agencies – to pursue.

Treating cybersecurity holistically, just as care providers should approach a complex patient, is the only way we can expect to develop effective solutions. It is time that we work together towards a common goal: the improved safety and security of all patients.

Michael McNeil is global product security and services officer for Royal Philips and chair of the Medical Imaging and Technology Alliance (MITA) Cybersecurity Committee.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult