Anyone who thought that BlackBerry (BBRY) was facing extinction with the demise of its mobile phones ought to think again. The company is now focusing on software over hardware, and counts healthcare systems among its top customers.
One area where the group hopes to make an impact is medical device cybersecurity, which has come under an unusually bright spotlight this year. David Kleidermacher, BlackBerry’s chief security officer, tells EP Vantage that a standard he helped develop could improve the security of products from insulin pumps to implanted cardiac devices. “We try to hack into the device. We try to find the vulnerabilities,” he says.
“The idea is that any product can go through the evaluation process and be certified to have a decent level of security,” Mr. Kleidermacher says.
This might seem like an odd area for BlackBerry to be involved in, but the group believes that its expertise in other fields translates to healthcare.
“For example, in financial payments, there’s a certification process for smartcards. And we put our mobile software through certification processes,” says Mr. Kleidermacher. “In healthcare, that didn’t exist up until now.”
BlackBerry is not alone in trying to enhance medtech cybersecurity. The FDA and the Association for the Advancement of Medical Instrumentation (AAMI) have both published guidance on the topic. The FDA also recently formed a partnership with the National Health Information Sharing and Analysis Center, and the Medical Device Innovation, Safety, and Security Consortium to improve cybersecurity.
However, some experts are unsure whether these existing measures could prevent a cyberattack (Vantage Point – Medtech needs to up its cybersecurity game, November 1, 2016).
And Mr. Kleidermacher believes that current practice, which puts the onus on medical device companies, has room for improvement.
“In the security world there’s one thing we’ve learned: trusting vendors to do the right thing is ridiculous,” he says. “It can’t just be ‘I’m going to hire some random company to assess me and trust me, I’ve done a good job’.”
He adds: “There’s tons of guidance out there. But there’s one best practice they’re all missing, and that is, at the end of the day, you need an independent evaluation by independent experts.”
The new standard, called DT SEC, meets this requirement as it is managed by a non-profit organization, he says. “In terms of having a program where any product from any vendor can be brought to this independent group to evaluate it for security, it’s the only program of its kind in medical devices.”
No standard can totally guarantee against attack, Mr. Kleidermacher warns. But the program would give users more confidence than is currently the case, he believes. “Our goal is to raise the bar to a point where people can say, 'My insulin pump isn’t sitting there wide open.' That should raise the confidence from almost zero today to really high.”
He highlights the case of St. Jude Medical (NYSE:STJ), which hit the headlines earlier this year when a short seller claimed there were security flaws in the company’s implantable cardiac devices. It is still unclear whether there are any issues with the products.
“That’s the problem – we shouldn’t be guessing,” Mr. Kleidermacher says. “The biggest problem in cybersecurity is not the technology, but the fact that we don’t have confidence because there’s no way of measuring security today.”
He estimates that the cost of evaluating a device using the DT SEC standard will come to around one tenth of 1% of the device’s overall development cost, which naturally varies based on the complexity of the product and other factors.
“It’s not much, because we’re focusing on a vulnerability assessment rather than generating reams and reams of paper that we have to go through,” he says.
So far BlackBerry has worked with diabetes device manufacturers, “simply because these had the biggest initial concern because insulin pumps had been hacked into before”, he says. “Several manufacturers in diabetes have come to us and are going through the process of seeing if they can meet the standard.”
But the new standard could be used with devices of any sort. More companies would get on board if the program was required or recommended by the regulatory authorities, Mr. Kleidermacher believes.
He points out that the FDA, NIH, Health Canada and the US Department of Homeland Security were all on the steering committee for the standard – but “they don’t want to be too prescriptive. They’re very hesitant to mandate things today.”
“I’m hoping they’ll recommend it as a starting point. Or they could just mandate it for new devices, because with a lot of the legacy stuff it’s going to be impossible to meet these standards.”
Insurers and payers could also have a part to play. “If insurers said, we’re going to give the hospitals a better rate if they use infusion pumps that are certified, that’d be good.”
If either of those things happened, “all of a sudden, the St. Judes of the world would be calling us,” Mr. Kleidermacher says. But he concludes: “There needs to be an economic driver. People won’t do the right thing just because you think it’s the right thing to do.”