There is little doubt that the future of healthcare will rely more on always-connected devices, Software as a Medical Device (SaMD), cloud computing and vast amounts of data processing. We can’t understate the promise that this growing Internet of Medical Things (IoMT) enables – from real-time data that leads to better patient care to state-of-the-art remote healthcare options.
However, moving medical devices outside of the security provided within a managed hospital network and placing them at our homes increases the risk of cyberattacks. As a result, manufacturers not only face the ongoing challenge of ensuring security of their devices but also are under ever-increasing pressure by the regulatory bodies. How can they manage it?
The critical touchpoints in the medical product lifecycle for cybersecurity
Cybersecurity professionals both within the healthcare industry and security domains have answered this challenge by proposing a comprehensive strategy. It includes the following:
- integrating cybersecurity into the product at the design stage,
- providing in-depth multi-layered defensive mechanisms to the pre-market and market-ready products,
- providing ongoing security risk management once the medical device has been made available on the market.
Let’s have a closer look at each one of them.
1. Security by design: guarding against threats while building a device
Security by design is an approach to security risk management that starts early, at the design and prototype stage of a medical product lifecycle. The manufacturer identifies cybersecurity risks early using threat modeling and assessing security risks. These are then mitigated through additional controls as well as the use of state of the art. What is crucial here is that post-market cybersecurity needs are evaluated and planned for while the product is still in the pre-market phase.
This approach brings invaluable benefits to the long-term security of the product. First, it considers the need for an ongoing maintenance and governance of the medical product, easing the implementation of future patches and updates. Second, it reduces the need for potentially costly and time-consuming late-stage changes in the product. Third, early consideration, planning and action leads to a more future-proof device.
2. Defense in depth: layered protection against cyberattacks
Since many security risks cannot be easily managed or controlled, sophisticated cybersecurity technology is needed to mitigate a specific risk. Its use is essential if a risk’s occurrence was to impact the availability of the device or confidentiality of private health data. In these situations, employing redundant and layered defensive mechanisms is the best way to control the security risk.
A common model used by cybersecurity professionals is the CIA triad, based on three principles: Confidentiality, Integrity and Availability. They allow us to establish priorities, identify vulnerabilities and guide risk mitigation solutions. This approach uses software-based cryptographic solutions that are easy to integrate and highly scalable, obfuscation solutions integrated directly into the product build process, and a managed public key infrastructure (PKI) suite for efficient updating of keys, software and security measures in field deployments.
Our Defense in Depth technologies are doing just that. They have negligible performance impact on the product and no negative impact on the functioning of the device. At the same time, our software-based approach is renewable, reusable and portable.
3. Post-market cybersecurity risk management: continuous alertness to vulnerabilities
The responsibilities of managing security risks do not end when a device has gained market access though. Regulators and delivery organizations increasingly oblige device makers to maintain a proactive and systematic process for ongoing security risk management. This is imposed to ensure that you quickly identify new vulnerabilities, exploits for existing vulnerabilities, and mitigate threats. You as a manufacturer also need to maintain relevant documentation for all your security risk management activities.
A comprehensive post-market cybersecurity risk management program includes all the following:
- identifying all the software components in your medical device,
- mapping vulnerabilities,
- proactively controlling newly identified risks,
- routinely updating your threat model,
- using third parties to pen test for unidentified weaknesses.
The ongoing monitoring of different software components for vulnerabilities, new exploits, critical security updates and patches helps you ensure that you control new security risks as quickly as possible. By maintaining a state-of-the-art post-market security risk management process, you can prevent damage to your brand’s reputation and save your business from suffering financial loss. And keeping a proactive, ongoing monitoring process makes it easier for you to maintain regulatory compliance related to cybersecurity.
Key regulatory requirements for medical cybersecurity
You read that right – there is an increasing number of new guidances and regulations issued both by the U.S. and EU regulatory bodies regarding cybersecurity of medical devices. These are:
- European Union’s Medical Device Regulations (MDR) and In Vitro Diagnostic Regulation (IVDR) from 2017
- MDCG 2019-16: Guidance on Cybersecurity for Medical Devices
- Post-Market Management of Cybersecurity in Medical Devices Guidance from the U.S. Food & Drug Administration (2016)
- Executive Order EO 14028 from May 12, 2021
- FDA’s Content of Premarket Submissions for Device Software Functions published in November 2021.
Taken as a whole, protecting medical devices once they are in the market is no longer the sole responsibility of the health delivery organization but increasingly also falls on the manufacturers. So, you are expected to monitor and manage possible vulnerabilities and threats on an ongoing basis. This is no longer about gaining a competitive advantage; it is yours to be or not to be.
Learn more at the 2021 Health-ISAC Fall Summit!
The above remarks are only scratching the surface – there is so much more to know about this topic. You will have a chance to learn all about it at the upcoming 2021 Health-ISAC Fall Summit, held on November 30-December 2, 2021, in San Diego, CA. Feel free to drop by booth #11 for a chat with Irdeto’s experts about cybersecurity for medical devices!