Eric Cosman, OIC Concepts

Medical Systems Cybersecurity

By Eric C. Cosman
Eric Cosman, OIC Concepts

It’s important to draw on experience from other sectors.

The past 18 months have displayed for all what many in the field already recognized: How critical medical infrastructure is to the health and safety of our world. Protecting that infrastructure in the face of digital transformation and growing connectivity requires reevaluating the security of new, automated technologies that make success and health possible today.

With the increased use of communications and information technologies, automated systems are now common in most critical infrastructure sectors. Sophisticated automation is generally associated with sectors such chemicals, energy supply and distribution, and transportation, but such applications are widely applied in other industries as well—such as medical devices and services.

Protecting production systems from cybersecurity threats is essential in ensuring their availability and continued safe operation and preventing adverse consequences, ranging from equipment failure and loss of production to personal injury. This protection is greatly assisted by using cybersecurity standards that describe proven and accepted practices.

How Standards Can Help

The ISA/IEC 62443 series of standards are the world’s only consensus-based industrial cybersecurity standards. The series defines requirements and procedures for 1) implementing electronically secure automation and control systems and security practices and 2) assessing electronic security performance. ISA approaches the cybersecurity challenge in a holistic way, bridging the gap between operations and information technology. The standards include guidance about technology and work processes, taking a risk-based approach to cybersecurity by helping users identify what is most valuable and requires the greatest level of protection. The material in the series is complementary with the requirements found in commonly used IT standards, like ISO 27001 and 2.

Given the interconnected nature of complex computer and control networks, where vulnerabilities in one sector can be exploited in other sectors, it is critical that standards apply across key industries and infrastructures, and the ISA/IEC 62443 series has amassed users across more than 20 different industry segments.

This interest has now extended into the medical services and healthcare sectors. By observing the trials and successes of other industries, these critical areas can employ even stronger cybersecurity practices moving forward.

Learning from Other Industries

The medical device sector employs the same computing and communications technologies as other industries, and thus are subject to the same threats and vulnerabilities. For example, the need for a well organized approach patching and updating computing platforms is the same regardless of whether it is being applied to medical device production systems or automotive manufacturing. Failure to address these types of similarities and draw from their learnings adequately results in installed systems that have unmitigated vulnerabilities, making them attractive targets for cybersecurity attacks. Risk mitigation also involves segmentation of complex systems and the application of mitigating controls based on anticipated risk.

Understanding the severity of potential consequences, such as loss of view or access to data, loss of control, compromises to system integrity and prevention of equipment damage, is critical in preventing adverse events. A unifying theme across such disparate sectors is a focus on preventing these harmful consequences or limiting impact should they occur.

Seemingly diverse sectors can learn from each other, basing their cybersecurity response on solid principles, concepts and models that are not sector specific. By utilizing a standard approach to maintaining cybersecurity, industries can remain confident that their partners throughout the supply chain are operating on a similar level to protect common infrastructure.

This assertion can be confirmed by applying common requirements and measures, such as those described in the ISA/IEC 62443 series of cybersecurity standards, to medical systems. Such application can be accomplished using a simple methodology.

Implementing Standard Practices

This starts with translating the principal roles defined in the standards into corresponding roles in the target sector. For example, the generic role of asset owner as described in ISA/IEC 62443 maps directly to that of the healthcare provider who owns and operates automated systems for patient monitoring, diagnostics and patient care. Service providers are responsible for calibrating and maintaining systems, including ensuring that appropriate security updates are applied as needed. Finally, device and system suppliers are accountable for ensuring that their products meet minimum security requirements, both at the device and system levels.

In a similar manner, a systems engineering approach shows that the lifecycle of medical devices is similar to that of larger industrial systems. These consist of a series of distinct phases ranging from conception or specification through development, delivery and configuration to operation, maintenance and replacement. Each of the principal roles has defined responsibilities in each of these phases.

These responsibilities are described in the form of normative requirements in the standards. Each of these requirements is stated in practical and precise terms, describing what must be accomplished without prescribing the methods for doing so, meaning that each requirement can be interpreted and restated in terms that are more familiar for the targeted environment, such as medical systems. Many, if not most of these requirements, will have specific implications for one or more of the principal roles within the medical field.

In order to apply the standards directly to medical environments, the combination of role descriptions, interpreted requirements, and implications detailed in them should be documented in the form of a recommended practice for use in the chosen environment. Such practices have been created for several sectors or industries to create specific guidelines for industry users, thus demonstrating the value of this approach.

Cybersecurity: Applicable to All

Cybersecurity practices may feel specific to a certain industry and their applications, but in reality the basics are applicable to a wide range of industries that are dedicated to protecting our critical infrastructure. As the medical field employs more systems connectivity and advanced devices, industry leaders must look to the successes of other sectors to ensure asset safety. Those addressing the cybersecurity of medical and healthcare systems are encouraged to draw on the knowledge and experience of common and sector-specific disciplines using the ISA/IEC 62443 standards to define the basics of a comprehensive response.

Those with interest in this area may contact the ISA99 committee (responsible for the ISA/IEC 62443 standards) at to discuss this opportunity in more detail.

About The Author

Eric Cosman, OIC Concepts