Cybersecurity and medical devices: Expert advice

Cybersecurity threats are an increasing worry to medical device businesses. Nova Leah offers expert advice in the safeguarding of medical devices. The company’s founder Anita Finnegan discusses the significance of the company’s work.

Cybersecurity threats to connected medical devices are real, ever-present, and continuously changing according to the US Federal Drug Administration (FDA). Hospital networks are experiencing constant attempts of intrusion and attack posing a serious threat to patient safety.

Increased connectivity of medical devices to hospital IT-networks provides significant benefits to patient care but also exposes both manufacturers, healthcare providers and patients to cybersecurity risks which can affect the safety of between 10 and 15 million connected devices currently being used by patients.

The FDA has now published guidelines for post-market cybersecurity risk management of networked medical devices. This is in addition to the FDA’s pre-market guidance issued in 2014. This guidance document recommends that manufacturers now consider cybersecurity throughout the entire lifecycle of a device by developing “a structured and comprehensive program to manage cybersecurity risks” even after their products have been sold.

The newly published post-market recommendations provide device manufacturers with a set of practices designed to assure the security of devices once in use. These include:

• Monitoring cybersecurity information to help identify and detect vulnerabilities.
• Maintaining software life-cycle processes such as: 
• Monitoring third-party software components for new vulnerabilities.
• Design verification and validation for software updates and patches.
• Using threat modelling to help maintain the safety and performance of a device.
• Mitigating cybersecurity vulnerabilities early and before they are exploited.

The FDA pre-market recommendations include:

• Identification of assets, threats and vulnerabilities.
• Assessment of the impact of threats on device functionality and patients.
• Assessment of the likelihood of a threat or a vulnerability being exploited.
• Determination of risk levels and suitable mitigation strategies.
• Assessment of residual risk and risk acceptance criteria.

Manufacturers can do this by building-in security controls during the product design phase and by continuously monitoring devices to address on-going cybersecurity concerns.

Importantly, the FDA also recommends collaboration between stakeholders (medical device manufacturers, health IT developers, IT system integrators and end-users) as an effective approach to addressing risks through cyber-threat information sharing.

The onus is now very much on medical device manufacturers to adopt a proactive and vigilant approach to evolving cybersecurity threats and vulnerabilities when designing, developing and maintaining the security of their medical devices.

Expert medical device risk assessment with SelectEvidence

SelectEvidence is a collaborative cybersecurity expert system that supports medical device manufacturers in designing, verifying and certifying connected medical devices to meet these FDA guidelines and industry security standards. It also assists healthcare providers in the selection, acquisition and risk management of medical devices on their healthcare networks.

The system allows stakeholders to implement cybersecurity requirements for their devices using proven standards within a collaborative framework. It is supported by state of the art repositories which inform each step of the cybersecurity management process providing full traceability from risk identification to treatment thus significantly reducing the time a manufacturer spends working on risk assessments. It also:

• Accelerates medical device design, development and validation.
• Reduces time-to-market for new 510k and PMA submissions.
• Reduces costs associated with post-market surveillance documentation and reporting.
• Prevents the likelihood of recalls due to cybersecurity vulnerabilities.
• Breaks down knowledge barriers between manufacturers and healthcare providers, improving the security of a device over its lifetime.
• Reduces the time spent selecting security controls to support a device in operation.
• Produces documentary evidence of compliance to regulators, auditors and customers.