Jesse Wood, Intertek
MEDdesign

Risk Management and Other Cybersecurity Considerations for Connected Medical Devices

By Jesse Wood
Jesse Wood, Intertek

While connected capabilities and wireless technology certainly lead to greater patient care, they also expose devices to greater cybersecurity risks.

The medical industry is driven by patient care, and medical device manufacturers are constantly looking to improve features, functionality and accessibility to contribute to this mission. Incorporating communications technology and wireless capabilities into medical devices is one way to make those improvements. Doing so can increase potential for monitoring, alerting, collecting/analyzing data, controlling medication and assisting doctors with surgeries and other procedures.

While connected capabilities and wireless technology certainly lead to greater patient care, they also expose devices to greater cybersecurity risks. In other industries, as manufacturers incorporated connectivity in their products, many found they lacked processes or means to adequately address cybersecurity. Medical device manufacturers must learn from this and ensure that, as they implement connected and wireless features, they recognize and mitigate cybersecurity risks.

Register for the 2nd Annual Legacy Medical Device Cybersecurity Conference | A Virtual Event | September 22–23, 2020

Regulatory Guidance

The FDA has recommended cybersecurity design and validation be considered for submissions of products that include software components. Manufacturers currently must include software validation and risk analysis as part their procedures for validating the design of their devices containing software. The FDA has clarified in their draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” that, where appropriate, these procedures may need to include a cybersecurity vulnerability and management approach. Although the FDA guidance is currently in draft and only consists of suggestions, it is anticipated that as the guidance matures with the emergence of cybersecurity laws and regulations, the FDA suggestions regarding cybersecurity will become requirements.

In addition to their draft guidance, the FDA has recognized ANSI/UL 2900 for cybersecurity testing on connected devices. This standard was created for all network-connectable products, requiring them to be evaluated for vulnerabilities, software weaknesses and malware. ANSI/UL 2900 imposes three sets of broad requirements. First is documentation of design, security and management, as well as a risk assessment of security mitigation integrated into the design. Second is the application of risk controls, including access control, user authentication and authorization, securing remote communication, protection of sensitive data, and product management. Third, the standard calls for eliminating product vulnerabilities through analysis and testing.

Attend the complimentary MedTech Intelligence event |  “Defend Against MedTech Cyber Breach: A Fireside Chat with Critical Healthcare StakeholdersWhile ANSI/UL 2900 has been recognized by the FDA, it is not a requirement, nor has it been broadly picked up by the industry. As the administration continues to align with other industries standards and develop their own requirements, cybersecurity considerations and implementations will move further into real compliance and conformity requirements.

In the meantime, states like California and Oregon have established laws requiring manufacturers to equip connected products with a minimum baseline of cybersecurity. This includes medical devices, so manufacturers should be prepared to demonstrate compliance with these laws and others like them as they are implemented by more jurisdictions.

Ensuring the cybersecurity of a connected medical device relies on adopting best practices, familiarity with applicable requirements, and perhaps most importantly, risk management. Medical device manufacturers are familiar with assessing and controlling risk in other areas, then presenting results to regulators. Creating a parallel process for cybersecurity is strongly recommended.

Risk Management

Medical device manufacturers are familiar with risk management since many regulatory bodies already require that risks to patient health and safety be assessed and managed. Manufacturers already have risk management files that document the risks and hazards associated with use of their medical device to patient safety. Given these processes and documentation already exist, manufacturers may attempt to bundle cybersecurity into what they already have. Why not just add one or two line-items to the current risk management file?

To an attacker, a medical device with computational and network capabilities is just another computer with the exception that medical devices may pose safety hazards and often have physical access to patients. Further, as hospitals and other medical organizations are increasingly the targets of cyber-attacks, medical devices that were designed without considering security risks may be vulnerable to exploit and used as weak link entry points for attackers to stage attacks (including delivering ransomware) against these sensitive networks.

Cybersecurity is a complex issue facing all of IT and especially network connected devices, but as with traditional medical risk management, there are mature processes that exist for managing cyber risks. The FDA recommends following the guidance in TIR57, which in turn follows NIST SP800-30. Both the FDA and TIR57 recommend creating a parallel cybersecurity risk management process and feeding inputs and results back and forth between the existing process for safety and the new process for security.

When developing a cybersecurity risk management plan, define criteria for acceptable levels of risk across relevant categories, including safety, privacy and lost data. Consider the environment where a product will be used. Devices implanted in humans, products supporting research in universities, and equipment performing surgeries in hospitals all have different risk profiles. Use all relevant information to develop a robust mitigation plan.

Once the plan is established, perform cybersecurity-specific risk assessment. Use techniques that exist for traditional information security and apply them to the device as if it were an information system, which it is. Where risks are found and determined to be unacceptable, design and implement features that mitigate them, starting with highest risk, aligning the process for cyber with the process for safety. Finally, feed security risks and design controls with potential to impact safety into the risk management file.

Risk management plans help ensure the overall safety of a medical device in a way that is seamless and easy to use. It would be unfortunate to discover too late that security features are cumbersome, get in the way during an emergency or that data processing cannot occur in a life-saving device. A formal cybersecurity risk management process quantifies cyber risks and provides solutions to help mitigate them.

Cybersecurity Evaluation

In addition to a risk management plan, it is a good idea to conduct security testing throughout the product development cycle. Trying to add security at the end of a project can be more costly and less effective, possibly disastrous. Failures may require starting over, meaning more time and money spent on product design and development. Testing cybersecurity early and often will help ensure you are not making any mistakes along the way.

Independent testing and security certification of connected devices illustrates compliance with regulatory requirements of course, but it also demonstrates a commitment to security and privacy of patients, healthcare professionals and important medical data. Medical devices should be evaluated to a full scope of testing, including regulatory and safety compliance evaluations of cellular and non-cellular elements, as well as assurance of interoperability.

When conducting these evaluations, consider standards and tests for both the hardware and software. ANSI/UL-2900 is a good starting point for assessing hardware, while IEC 62304 provides a solid baseline for software validation. Meeting all of the requirements requires already having an effective documentation and validation process.

A full scope of testing and evaluations will also include interoperability assessments, which is especially critical in medical devices, as they—and/or other devices in the ecosystem—may perform life-saving functions and provide critical points of care. Full-scale testing also ensures communication channels are secure, which safeguards the privacy and integrity of data transferred between the device and infrastructure. Testing the infrastructure, in turn, provides assurance that sensitive data is adequately protected against unauthorized disclosure, theft, hacking or other concerns.

At the end of the day, no two medical devices are the same. It is up to the manufacturer to ensure the security of a device and patient data. It is up to manufacturers to make sure a product performs as needed in a safe and secure manner. The manufacturer must assess risk and do their best to mitigate it. Doing so will ensure a successful product, build a better brand, and advance patient care into the future.

About The Author

Jesse Wood, Intertek