As medical devices become more advanced and the Software as a medical Device (SaMD) industry booms, it is crucial to make sure your medical devices are cyber-secure. Like all technologies, anytime a medical device has software, vigilance is required as they can become vulnerable to cybersecurity threats and attacks. The healthcare industry has long been targets of cyber attacks because of their vast amounts of health information and data such as patient health, product performance, or data from other devices connected to the same network.
With COVID-19 and the whole of our healthcare industry being under immense stress during these challenging times, it has become more crucial to ensure cybersecurity in our medical devices and reduce vulnerabilities in our healthcare infrastructure.
The lack of cybersecurity in medical devices took center stage when the healthcare industry was attacked on the NHS in 2017. “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks,” said Amyas Morse, head of the National Audit Office.
This cyberattack used Microsoft’s Windows system to target computers globally by encrypting people’s data and demanding payments in the cryptocurrency Bitcoin before allowing access to it. Because of events like this, regulatory bodies like the FDA are finally taking the problem of cybersecurity more seriously. In 2019, the U.S. Food and Drug Administration (FDA) issued a warning about two security flaws affecting dozens of implantable cardioverter defibrillators.
Due to the rise of cyber security threats and the financial impact of data breaches, medical device manufacturers are incorporating strategies to ensure that their medical devices and therefore, organizations remain securely protected. Medical device manufacturers should integrate effective cybersecurity plans during their early stages of development and maintain security throughout the device lifecycle. An effective plan should include both premarket and postmarket cybersecurity phases as well as risk management from device conception to disposal to help prevent costly changes or delays downstream.
In October 2018, the FDA announced a memorandum of agreement with the U.S. Department of Homeland Security to improve collaboration and sharing of information to address medical device cybersecurity risks. Moreover, the U.S. Department of Health and Human Services’ Office of Inspector General has issued a report calling for the FDA to establish written procedures for securely sharing sensitive information about cybersecurity events with key stakeholders.
According to the International Medical Device Regulatory Forum, medical device manufacturers can improve their cybersecurity by implementing the following :
Secure Communications:The manufacturer should consider how the device will interfere with other devices/networks, communication with devices supporting a less secure communication, and prevention of unauthorized access/modification when it comes to data transfer to and from the device.
Data Protection: The manufacturer should consider whether a level of protection or encryption is required for data stored or transferred on the device and if the device needs confidentiality risk control measures.
Device integrity: The manufacturer should consider risks that affect the integrity of the device, evaluate the system-level architecture to look for necessary design features, and consider anti-malware controls.
User Authentication: The manufacturer should consider user access controls that determine who can use the device or provide granting of privileges to user rolls.
Software Maintenance:The manufacturer should consider the communication process when implementing regular updates, how software will be updated or controlled, how the device will be updated to secure it against other vulnerabilities, the required connections to conduct updates, and the use of code signing for authenticity of the connection.
Physical Access:The manufacture should consider implementing controls that prevent access of the device by an unauthorized person.
Reliability andAvailability: The manufacturer should consider inputting design features that allow the device to detect, resist, respond, and recover from cybersecurity attacks.
In addition to these recommendations, medical device companies should stay informed on new cybersecurity strategies and practices. This is vital in preserving and protecting devices along with the sensitive health data gathered by these devices. In the long run, this will safeguard patient information and fortify device organizations. Medical device companies have a responsibility to ensure that their devices are secured and equipped with the right cybersecurity. Check out Promenade's medical device software. Promenade has security experts that can advise you on the vulnerabilities of your device and guide you with mitigation strategies. Promenade offers support in both Pre-Market and Post-Market Cybersecurity and finds the best approaches to take with your device.