Cybersecurity and Risk Management Principles
Medical device manufacturers are committed to improving the features, functionality and ease of use of their devices to improve patient care. Incorporating communications technology into medical devices offers greater possibilities for monitoring, alerting, collecting and analysing medical data, controlling medication dosages, and even assisting physicians during surgical procedures.
While the addition of computer components and connectivity will undoubtedly lead to better patient care, it also exposes medical devices to the same cybersecurity issues that traditional information systems have always faced. As other industries make similar shifts to interconnectivity, manufacturers that lack a real process for addressing cybersecurity issues will be most at risk during times of change. As medical device manufacturers become more versatile through connectivity, the cyber threat environment they face increases.
Coordinating Cyber and Security Risks
Medical device manufacturers are familiar with assessing and controlling risks in accordance with the process set out in ISO 14971 and presenting the results to the regulator. Creating a parallel cybersecurity process is highly recommended.
1.Start with a cybersecurity risk management plan.
2.Determine criteria for acceptable levels of risk for relevant categories, including data loss, patient information, and security.
3.Understand and document the intended use environment. Devices implanted in the human body, devices supporting university research, and devices performing surgery in hospitals all have different risk profiles.
4.Perform a cybersecurity risk assessment of the device. Use existing traditional information security techniques and apply them to the device as if it were an information system (which it is!) .
5.When risks are identified and determined to be unacceptable, design and implement features that reduce the highest risks.
6.Align the cyber risk process with the security risk process.
7.Incorporate security risks with potential security impacts and security design controls that affect security into security documentation; incorporate security design controls that affect security into security documentation.
Requirement
The U.S. Food and Drug Administration (FDA) recommends that cybersecurity design and validation be considered part of the current submission process that includes software components. As the FDA continues to align its standards with the rest of the industry, the need to consider and implement cybersecurity in medical devices will further translate into real compliance and compliance requirements.
Additionally, states such as California and Oregon have enacted laws that require manufacturers to have a minimum cybersecurity baseline in any product with some connectivity. As these laws are implemented in more areas, medical device manufacturers should be prepared to demonstrate compliance with these types of laws.
Benefits of formal risk management
If a medical device has cumbersome security features, what are the security implications for physicians in an emergency? What are the inherent cybersecurity risks of implantable life-saving devices that need to connect to the cloud to perform data processing? Without a formal cybersecurity risk management process, it is impossible to quantify cyber risk.
What are the current and future vulnerabilities facing medical devices as they move into the connected realm and face little-known threats such as hacking and organised crime? What is the potential loss of assets such as patient data and security? What are the plans to address legal and regulatory requirements?
Find out how Intertek is helping to secure medical device connectivity through risk planning, management and assessment through our information pages.