Cybersecurity has become the buzzword in the medical arena with the increasing use of wireless, Internet and network-connected devices. Due to the surge in the use of connected medical devices, both in hospitals and at home, it has become more important than ever before to ensure that such devices are sufficiently safeguarded from cyberattacks which have the potential to not only render the devices inoperable but also disrupt the delivery of patient care across healthcare facilities.
With a view to address this likely threat, various health regulatory agencies around the world are recommending the industry to manufacture medical devices which are adequately resilient to cybersecurity threats or risks and once so assured, can be considered as trustworthy devices.
But what exactly are trustworthy devices? And what are these Cybersecurity Threats and Risks which are being mentioned time and again?
In this blog, we break down the definition of tustworthy devices and establish that it is the software that these devices rely upon for safe operation that eventually makes or breaks the device.
What is a trustworthy device?
In 2018, the U.S. Food and Drug Administration (FDA) issued its draft guidelines titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices with the intent to, inter alia, assist the medical industry to promote the design and development of medical devices by safeguarding them against cybersecurity threats and risks.
In these guidelines, we first come across the definition of trustworthy devices:
“Trustworthy Device – a medical device containing hardware, software, and/or programmable logic that:
(1) is reasonably secure from cybersecurity intrusion and misuse;
(2) provides a reasonable level of availability, reliability, and correct operation;
(3) is reasonably suited to performing its intended functions; and
(4) adheres to generally accepted security procedures.”
If a medical device meets the above criteria, it will be considered a trustworthy device. However, a device is only as safe as the software within it. Trustworthy software is needed to achieve stable and successful solutions in any industrial space, including the medical devices industry.
Therefore, it is important that we identify the trustworthiness of the software in order to establish the trustworthiness of the medical device.
Trustworthiness of a software is based on five characteristics:
These characteristics, directly and in combination, provide protection against hazards and threats related to environmental disturbances, human errors, system faults and possible attacks.
In addition, trustworthiness concerns in any software are addressed by analyzing and undertaking pro-active steps to address architecture, design, code quality and implementation procedures which would safeguard the software from safety hazards, security attacks and theft.
Why is this important? What does it mean?
The value of a medical device which relies on software for safe operations will either increase or diminish depending on how secure, reliable and resilient the software which it harbors is.
Therefore, it is extremely crucial to integrate the safe process-oriented activities throughout the software lifecycle. Methods for proving and controlling the provenance of various software components, their configurations and their pedigree further engender trust in the software. Trust and confidence in medical devices are also bound to increase if the software design and operation is made transparent, evidential and auditable to the end-user. Also, documentation demonstrating the trustworthiness of the software will help too, both the regulators and end-users, quickly and efficiently assess the device’s safety and effectiveness vis-à-vis cybersecurity.
Thus, supporting and safeguarding the software against cybersecurity threats and risks will ensure the safety of the medical device, which relies on the software for safe operations.
It is when the software is full proof that the medical device will remain safe and effective throughout its lifecycle.
This is Part 1 of our Trustworthy Device blog series. In Part 2, we will deep dive into the cybersecurity threats and risks and analyze the steps which a manufacturer can take to ensure effective cybersecurity management in medical devices.
Click here to get in touch with Irdeto’s Connected Health team to learn more!