Securely Testing and Deploying Connected Products
The healthcare industry is a high-value target of high interest to cybercriminals. The cost of cybercrime in the healthcare industry continues to rise, with medical records selling for thousands of dollars each on the dark web. Connected medical devices offer new and increasingly impactful ways to improve patient care, but they also bring new risks to the healthcare environment. Careful design and safety testing can help mitigate these risks.
Medical Device Threats
The Internet of Things (IoT) poses many threats, and the stakes are even higher for medical IoT. Theft of medical records isn’t the only risk to connected medical devices. Malware on infected platforms can render critical devices inoperable and even hijack them for ransom. Devices can even be used as platforms or launch pads for further attacks. For example, a hacked medical device connected to a hospital network could be used to launch an attack on other systems in the healthcare environment, or simply used as a drone in a botnet of millions of remotely controlled endpoints to launch an attack outward. Even with less sinister intentions, running unauthorised code on a medical device can make the device unstable or consume critical computing resources necessary to accurately and safely perform the device’s intended function.
It is for these reasons that regulatory agencies such as the FDA are issuing guidance on medical device cybersecurity. In addition, standards such as UL2900-2-1 have been developed specifically to ensure that medical devices are designed to withstand existing threats and to allow for security updates to devices to address future threats. These standards and guidelines emphasise design security and are based on a risk management approach.
Regulatory Issues in the U.S. Food and Drug Administration, Health Canada and the European Union
Due to the changing market environment and increased understanding of medical device threats, the FDA recommends pre-market submissions for devices with cybersecurity risks. Pre-addressing cybersecurity mitigations can help manufacturers identify, design, and develop deficiencies before submitting their products to the market. In addition to recommending guidance documents to medical device manufacturers, the Canadian government has a process similar to that of the FDA. The European Union and other global health systems are beginning to develop similar standards to help ensure the safety of products used in healthcare facilities worldwide. It’s important to understand these requirements and work with a trusted third party to ensure compliance. Watch our free on-demand webinar to learn more.