Medical device cyber threats are real and ever present – How to implement effective security risk management

Cybersecurity threats to connected medical devices are real, ever-present, and continuously changing according to the US Federal Drug Administration (FDA). Hospital networks are experiencing constant attempts of intrusion and attack posing a serious threat to patient safety.

Increased connectivity of medical devices to hospital IT-networks provides significant benefits to patient care but also exposes both manufacturers, healthcare providers and patients to cybersecurity risks which can affect the safety of between 10 and 15 million connected devices currently being used by patients.

The FDA has now published guidelines for post-market cybersecurity risk management of networked medical devices. This is in addition to FDA’s pre-market guidance issued in 2014. This guidance document recommends that manufacturers now consider cybersecurity throughout the entire lifecycle of a device by developing “a structured and comprehensive program to manage cybersecurity risks” even after their products have been sold.

The newly published post-market recommendations provide device manufacturers with a set of practices designed to assure the security of devices once in use. These include;

  • Monitoring cybersecurity information to help identify and detect vulnerabilities.
  • Maintaining software life-cycle processes such as:
    • Monitoring third-party software components for new vulnerabilities.
    • Design verification and validation for software updates and patches.
    • Using threat modelling to help maintain the safety and performance of a device.
    • Mitigating cybersecurity vulnerabilities early and before they are exploited.

The FDA pre-market recommendations include:

  • Identification of assets, threats and vulnerabilities.
  • Assessment of the impact of threats on device functionality and patients.
  • Assessment of the likelihood of a threat or a vulnerability being exploited.
  • Determination of risk levels and suitable mitigation strategies.
  • Assessment of residual risk and risk acceptance criteria.

Manufacturers can do this by building-in security controls during the product design phase and by continuously monitoring devices to address ongoing cybersecurity concerns.

Importantly, FDA also recommends collaboration between stakeholders (medical device manufacturers, health IT developers, IT system integrators and end-users) as an effective approach to addressing risks through cyber-threat information sharing.

The onus is now very much on medical device manufacturers to adopt a proactive and vigilant approach to evolving cybersecurity threats and vulnerabilities when designing, developing and maintaining the security of their medical devices.

Expert Medical Device Risk Assessment with SelectEvidence®

SelectEvidence® is a collaborative cybersecurity expert system that supports medical device manufacturers in designing, verifying and certifying connected medical devices to meet these FDA guidelines and industry security standards. It also assists healthcare providers in the selection, acquisition and risk management of medical devices on their healthcare networks.

SelectEvidence® allows stakeholders to implement cybersecurity requirements for their devices using proven standards within a collaborative framework. SelectEvidence® is supported by state of the art repositories and machine learning capabilities which inform each step of the cybersecurity management process providing full traceability from risk identification to treatment.

SelectEvidence® handles all pre-market risk management and continuously monitors and manages post-market risk processes for manufacturers and/or healthcare providers. The system is a cradle to grave solution, managing cybersecurity processes from product development to product retirement.

SelectEvidence® can be deployed as a standalone cybersecurity expert system for an individual stakeholder or can be used as a collaborative solution for managing risk and security between both manufacturers and healthcare providers.

SelectEvidence® not only assists medical device manufacturers to fully comply with FDA recommendations it also:

  • Accelerates medical device design, development and validation.
  • Reduces time-to-market for new 510k and PMA submissions.
  • Reduces costs associated with post-market surveillance documentation and reporting.
  • Prevents the likelihood of recalls due to cybersecurity vulnerabilities.
  • Breaks down knowledge barriers between manufacturers and healthcare providers, improving the security of a device over its lifetime.
  • Reduces the time spent selecting security controls to support a device in operation.
  • Produces documentary evidence of compliance to regulators, auditors and customers.

About Nova Leah
SelectEvidence® is brought to you by Nova Leah Ltd, a medical device cybersecurity risk management company headquartered in Ireland. For more information about us go to http://www.novaleah.com