The healthcare industry has made great efforts over the past few years to prevent and mitigate the risks of cyberattacks targeting connected medical devices and healthcare systems. The alarming numbers indicating an increase in cyberattacks against healthcare institutions sadly show that there are still problems to tackle, particularly on the part of Medical Device Manufacturers (MDMs).
The introduction of the Network and Information Security 2 (NIS2) Directive marks one of the latest and most important attempts to address these challenges.
Top 4 medical device cybersecurity challenges for MDMs
1. Insufficient cybersecurity resources
Budgets for medical device cybersecurity in the healthcare industry are typically tight, leaving understaffed IT teams unable to keep up with threats. In a survey conducted in 2022, the majority of participating MDMs admitted that they lacked senior ownership of medical device cybersecurity, such as a dedicated chief, vice president or head of security. This results in ineffective control and monitoring in this area.
In addition, the absence of a product security incident response team led to the survey’s finding that 61% of businesses do not have a proactive post-production security approach for their devices. This could weaken medical device vulnerability management and endanger the healthcare sector since it is hard to fix problems without efficient processes or controls.
2. Lack of collaboration between MDMs and healthcare delivery organizations
Medical device vulnerability management should be a joint duty between MDMs and healthcare providers. This responsibility is unfortunately often poorly articulated by MDMs, including expectations for cybersecurity controls and maintenance throughout a device’s lifecycle.
Healthcare personnel may be unaware of the medical device cybersecurity procedures to be followed in the absence of explicit manufacturer-defined guidance, placing their organizations in danger of attack due to human negligence. The fact that human error was responsible for 33% of healthcare breaches in 2020 serves as the best illustration of this.
3. Too many out-of-date medical devices are still in use
MDMs typically don’t patch or upgrade their operating systems or software very frequently. As a result, many medical devices today still use outdated software and technology, weakening security. These devices pose significant security risks. It is impossible to ignore the cybersecurity dangers even if they continue to function successfully in clinical settings. They resemble a ticking time-bomb, which may put healthcare systems and patient safety at even greater risk.
4. Difficulty in cybersecurity regulatory compliance
Dealing with complex cybersecurity regulatory compliance is one of the healthcare industry’s common issues. Even though all updated standards, new guidances and market-specific legislations ensure the highest level of safety for medical device cybersecurity, they inadvertently pose a challenge for many MDMs to keep up with changes in standards and requirements.
When accessing various markets, MDMs may encounter a patchwork of legislation with varying language and standards, meaning a different set of rules must be followed depending on the country their products are marketed in. Although the requirements may sometimes overlap globally, a separate submission is mandatory for a country’s approval. It becomes more challenging to implement consistent security measures, medical device vulnerability management and information sharing as a result.
What is the meaning of NIS2 to address these medical device cybersecurity challenges?
- Increase regulation harmonization: NIS2 aims to eliminate divergences in medical device cybersecurity standards and practices among member states. It lays out the fundamental guidelines for a regulatory framework and the procedures for effective coordination between relevant authorities in each member state.
- Require significant investment in resources: In order to comply with the revised Directive, organizations in the healthcare sector, including MDMs, may need to invest in new technologies and procedures as well as employee training. This may raise their operating costs as a result but will lead to better security and protection of patient data, ensuring seamless service delivery in the long term.
- Conduct regular testing and updates: To reduce the risk of healthcare service disruptions, the Directive mandates the implementation of steps, such as routine testing and updating of medical devices and cybersecurity systems, staff training and incident response planning.
- Build a stronger incident reporting and report mechanism: Incident reporting is mandatory and should be executed in a timely manner, adhering to the three-step structure of early warning, notification and final report. The Directive also requires MDMs to set up processes for managing medical device security risk assessment, reporting and information sharing.
- Strengthen cooperation between entities: The NIS2 Directive encourages cooperation and information sharing across all entities, particularly when it comes to cybersecurity-related matters. Since information sharing is a vital tool for medical device vulnerability management, MDMs are required to have a coordinated vulnerability disclosure policy and practice. This makes sure all involved parties stay informed with the latest medical device cybersecurity developments and threat actor-specific information.
How should MDMs respond?
To get started, MDMs should prepare the following four questions:
- Who will be affected under NIS2?
- What do you need to do?
- When is the final deadline to comply with it?
- What happens if you fail to comply with it?
Each of these inquiries is essential to assisting MDMs in comprehending the requirements in detail and getting a sense of their overall action strategy. Our infographic below will provide you all the information you need to get started.
Want to learn more about NIS2?
Learn all about NIS2 from our free e-book: “NIS2: The basic for MDMs.”