Earlier this month I wrote about National Cybersecurity Awareness month and HHS agencies’ collaborative efforts with industry partners to improve the cybersecurity of the Healthcare and Public Health Sector. One of the greatest challenges we face is always chasing a moving target of advancing technology. In order to protect our systems, we have to be able to predict where technology will drive tomorrow’s security concerns. But as the recently departed Yogi Berra would remind us, “It’s tough to make predictions, especially about the future.” With technology changing so fast, how does the federal government keep up?

Across HHS, organizations working to address cybersecurity in healthcare and public health settings are finding that by working closely with the many diverse stakeholders, they can stay on top of emerging trends.

At the Food and Drug Administration, for example, all medical devices are regulated based on risk. Moderate- and high-risk devices are generally evaluated for their safety and effectiveness before they are allowed to be sold to the public. Increasingly, these devices are designed to be wireless, Internet- and network connected, which enables remarkable advances that have the potential to transform patient care. At the same time, this interconnectivity means cybersecurity risks need to be addressed.

The FDA recognizes that collaboration with the private sector is essential to enhancing medical device cybersecurity. Engaging with all of the stakeholders in the medical device ecosystem including security researchers, is an important step toward strengthening medical device cybersecurity. Security or vulnerability researchers are sometimes referred to as “white hat” hackers, a reference to the cliché headgear of “good guy” cowboys in old Western films. They study medical devices and systems, looking for flaws, weaknesses, or vulnerabilities that, if exploited, could cause harm. White hats work with manufacturers, regulators, and other stakeholders to safeguard patient care and privacy without putting patients at risk – by revealing flaws in a controlled setting and reporting them so they can be proactively addressed in both current and future designs. While skilled and persistent adversaries seek to harm, skilled and persistent “white hat” protectors seek to safeguard. Distinguishing between malicious attack by adversaries and good faith effort by security researchers allows medical device manufacturers to discourage the former and derive value from the latter.

For example, when security researcher Billy Rios discovered potential vulnerabilities in a line of infusion pumps, he alerted the manufacturer, the Department of Homeland Security’s cybersecurity response team known as ICS-CERT and the FDA prior to making any public announcement. This allowed FDA experts to analyze the issue and, based on their findings, issue a safety communication to healthcare facilities earlier this year with mitigation strategies and a recommendation that they transition away from using this line of pumps.

According to Dr. Suzanne Schwartz, Associate Director of Science and Strategic Partnerships and Acting Director of Emergency Preparedness and Medical Countermeasures in the FDA’s Center for Devices and Radiological Health, the best outcomes happen when security researchers work with medical device manufacturers and federal partners in a coordinated manner to identify and help address medical device cybersecurity concerns together. The FDA highly values the researchers’ technical expertise and regards their contributions as essential to identifying medical device cybersecurity vulnerabilities, which if exploited, may result in patient harm.

Then there is the HHS Office for Civil Rights (OCR) which enforces the privacy, security, and breach notification provisions of the Health Insurance Portability and Accountability Act (HIPAA). Electronic health records and other forms of health data management systems have been in use by healthcare facilities for a long time, but the landscape is changing. Increasingly providers and patients alike are looking for easy ways to access information on the go through the use of mobile devices. Mobile device technology changes rapidly, so developers face the complex challenge of developing new systems while maintaining strong privacy and security safeguards of patient data.

To help keep these mobile applications secure, OCR launched a new platform this month to assist mobile health developers and others interested in the intersection of health information technology and HIPAA. The new portal allows stakeholders to submit questions about HIPAA, present a use case, or see what their peers are discussing.  Users can comment on the discussions and vote on which topics or use cases would be most helpful or important.

OCR staff, in turn, will consider the input provided in the portal as they develop guidance and technical assistance related to the HIPAA Rules. Deven McGraw, Deputy Director of OCR’s Health Information Privacy Division, says that the new portal helps innovators address privacy and security  at the best point possible: while applications are being developed. It's always easier to build safeguards in from the beginning than to try to add it to a finished product. Through the portal, OCR wants to demonstrate to developers that we are there to support them in developing products that provide assurance to customers that their information is safe and secure, and will be used and disclosed only as approved or expected.

Working together, HHS and our private sector partners in the Healthcare and Public Health Sector can continue to increase the security of the systems the public depends on to protect their lives, health, and privacy.