Why Cybersecurity is so Important in the Medical Device Industry

As medical devices become more advanced and the Software as a medical Device (SaMD) industry booms, it is crucial to make sure your medical devices are cyber-secure. Like all technologies, anytime a medical device has software, vigilance is required as they can become vulnerable to cybersecurity threats and attacks. The healthcare industry has long been targets of cyber attacks because of their vast amounts of health information and data such as patient health, product performance, or data from other devices connected to the same network.

A bit of background:

With COVID-19 and the whole of our healthcare industry being under immense stress during these challenging times, it has become more crucial to ensure cybersecurity in our medical devices and reduce vulnerabilities in our healthcare infrastructure.

The lack of cybersecurity in medical devices took center stage when the healthcare industry was attacked on the NHS in 2017. “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks,” said Amyas Morse, head of the National Audit Office.

This cyberattack used Microsoft’s Windows system to target computers globally by  encrypting people’s data and demanding payments in the cryptocurrency Bitcoin before allowing access to it. Because of events like this, regulatory bodies like the FDA are finally taking the problem of cybersecurity more seriously. In 2019, the U.S. Food and Drug Administration (FDA) issued a warning about two security flaws affecting dozens of implantable cardioverter defibrillators.

Why is healthcare a target for cybersecurity attacks?

  • Private patient information is worth a lot of money
  • Healthcare facilities are a target because they act as storage for an immense amount of confidential patient data which can be sold for large sums of money.
  • Outdated technology means the healthcare industry is unprepared for attacks
  • Because of budget limitations and the hesitance to learn/teach new systems, many healthcare facilities have outdated technology.
  • Medical devices are an easy entry point for attackers
  • Medical devices and SaMD play a critical role in modern healthcare.  But for those in charge of online security and patient data protection, new devices open-up more entry points security breaches.
  • Healthcare staff aren’t educated in online risks
  • Because of time, budget, and resource restraints, medical professionals are not trained to deal with online threats and it is a difficult task for healthcare industry staff to be fluent in cybersecurity best practices.
  • The number of devices used in hospitals makes it difficult to stay on top of security
  • Healthcare organizations are responsible for large amounts of patient data and more often than not, an extensive network of medical devices all acting as potential security threats.
This image depicted a Centers for Disease Control and Prevention (CDC) scientist interacting with her Caliper LifeSciences’ Zephyr Molecular Biology Workstation


What can medical device manufacturers do?

Strategies for improving cybersecurity

Due to the rise of cyber security threats and the financial impact of data breaches, medical device manufacturers are incorporating strategies to ensure that their medical devices and therefore, organizations remain securely protected. Medical device manufacturers should integrate effective cybersecurity plans during their early stages of development and maintain security throughout the device lifecycle. An effective plan should include both premarket and postmarket cybersecurity phases as well as risk management from device conception to disposal to help prevent costly changes or delays downstream.

In October 2018, the FDA announced a memorandum of agreement with the U.S. Department of Homeland Security to improve collaboration and sharing of information to address medical device cybersecurity risks. Moreover, the U.S. Department of Health and Human Services’ Office of Inspector General has issued a report calling for the FDA to establish written procedures for securely sharing sensitive information about cybersecurity events with key stakeholders.

According to the International Medical Device Regulatory Forum, medical device manufacturers can improve their cybersecurity by implementing the following :

Secure Communications:The manufacturer should consider how the device will interfere with other devices/networks, communication with devices supporting a less secure communication, and prevention of unauthorized access/modification when it comes to data transfer to and from the device.

 

Data Protection: The manufacturer should consider whether a level of protection or encryption is required for data stored or transferred on the device and if the device needs confidentiality risk control measures.

 

Device integrity: The manufacturer should consider risks that affect the integrity of the device, evaluate the system-level architecture to look for necessary design features, and consider anti-malware controls.

 

User Authentication: The manufacturer should consider user access controls that determine who can use the device or provide granting of privileges to user rolls.

 

Software Maintenance:The manufacturer should consider the communication process when implementing regular updates, how software will be updated or controlled, how the device will be updated to secure it against other vulnerabilities, the required connections to conduct updates, and the use of code signing for authenticity of the connection.

 

Physical Access:The manufacture should consider implementing controls that prevent access of the device by an unauthorized person.

 

Reliability andAvailability: The manufacturer should consider inputting design features that allow the device to detect, resist, respond, and recover from cybersecurity attacks.

Conclusion

In addition to these recommendations, medical device companies should stay informed on new cybersecurity strategies and practices. This is vital in preserving and protecting devices along with the sensitive health data gathered by these devices. In the long run, this will safeguard patient information and fortify device organizations. Medical device companies have a responsibility to ensure that their devices are secured and equipped with the right cybersecurity. Check out Promenade's medical device software. Promenade has security experts that can advise you on the vulnerabilities of your device and guide you with mitigation strategies. Promenade offers support in both Pre-Market and Post-Market Cybersecurity and finds the best approaches to take with your device.

Need help on this topic?
Contact Us
Mona Elkebir
linkedin logo
About Promenade Software

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485 and 9001 certified.

American Systems registrar
Contact

Promenade Software, Inc.
16 Technology Drive, Suite 100
Irvine, CA 92618, U.S.A.
email: info@promenadesoftware.com
phone: (949) 333-4634
Contact Form