Medical Device Manufacturers Need To Act As Regulators Sharpen Their Cybersecurity Guidelines

Mike has over 15 years of experience in healthcare, including extensive experience designing and developing medical devices. MedCrypt, Inc.

Cybersecurity in healthcare is typically understood by the public as synonymous with ransomware attacks that shut down hospital operations or an employee mistake that leaks sensitive protected health information (PHI). However, as early as 2005, the Federal Drug Administration (FDA) began issuing thoughts on how connected medical devices introduce potential cybersecurity risks to patient health.

Fast forward to today, and nearly every device manufacturer either has a connected device on the market or one on their next-generation roadmap. Connectivity has become ubiquitous across devices with the promise to deliver better clinical outcomes for patients and providers. Device manufacturers, however, frequently struggle to dedicate adequate budget to securing these connected devices.

What The FDA Is Doing Now

According to Medtech Insight, the FDA believes “cyberattacks against hospital systems and networks can directly result in harm to patients.” Since the FDA is the governing agency over the security of medical devices as it pertains to patient safety and the market approval process, they will likely add additional scrutiny to the cybersecurity risks of new devices submitted for regulatory approval.

While we may consider the FDA a behemoth with specialized clinical reviewers, the latest appropriation request demonstrates the need for new cybersecurity resources that will increase the agency’s capacity to analyze the cybersecurity posture of new submissions. As noted in the fiscal year 2023 justification of estimates, FDA is seeking a medical device cybersecurity budget of $5.5 million.

Because the FDA cybersecurity team has been very public and communicative, and built great collaboration across the community, it will be exciting to see what can be accomplished with these additional resources.

Translation To Device Development

With the latest guidance release for cybersecurity in medical devices, the path forward fits into the existing medical device lifecycle. While some may cite this as not relevant until finalized—by definition, “guidance” means that this is FDA’s current thinking. Anecdotally, device manufacturers with clinically effective devices have failed to receive FDA approval solely due to inadequate consideration of cybersecurity risks.

Imagine the development of a device. The idea for a next-generation version, or a brand new device, comes about. It takes about at least 24 months to go from concept to a product, and likely another 12 months to enter the market.

That means it’s at least 3 years (average three to seven years) for a device to go from concept to reality. After that, it has a supported life cycle and may even operate outside the supported period if it is otherwise clinically effective.

Software, on the other hand, can become vulnerable the day after it is written. This isn’t intended to be hyperbolic; there are several factors about how software is developed that can impact its defensibility. However, the Log4J vulnerabilities that spread like wildfire across the healthcare sector (and continues to be an issue for many) is indicative of how a single vulnerability can be exploited and why software vulnerabilities must be managed tightly.

It thus makes sense why the 2022 cybersecurity draft guidance makes heavy mention of processes spanning people, technology and maintenance over the lifetime of a device. Merely “ticking the box” on security is not sufficient. It goes beyond and requires a systemic re-think of how security is both designed, implemented and maintained beyond the regulator software development and release process.

How To Start

It isn’t all doom and gloom. There are practices that, if put into place, can meaningfully position a medical device to combat the hostile hospital network it operates on.

For example, the draft guidance of the “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” was released in April 2022. The document offers a few areas of focus that the FDA will endorse once finalized (expected in 2023):

• Secure product development framework (SPDF)

• Security risk management

• Threat modeling

• Cybersecurity testing during the development lifecycle

• Security documentation like SBOM and risk traceability matrix

Released in 2016, the guidance for “Postmarket Management of Cybersecurity in Medical Devices” also includes a combination of process and procedural requirements for both medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs), such as:

• Understanding, assessing and monitoring vulnerabilities and risks

• Robust software lifecycle processes that include having a process for ongoing updates and patches

• Threat modeling cybersecurity risks around a medical device

• Participating in a coordinated vulnerability disclosure program

These guidance documents confirm the FDA has expectations that MDMs and HDOs will collaborate to build a more robust security ecosystem, which unsurprisingly has held true for other regional regulators, including Europe, Australia, Japan and elsewhere.

Conclusion

A secure product development framework (SPDF) aligned with the manufacturer’s quality management system can guide an organization to deliver a secure product and to meet market and regulatory requirements.

Cybersecurity considerations are required during all lifecycle phases, including concept, design and architecture, development and testing, validation and verification, and production. This goes hand in hand with security-compliant maintenance processes that require postmarket data collection and vigilance as well as vulnerability management and mitigation.

Security-capable pre- and post-market processes are a prerequisite to deliver more secure devices to the market and to make it easier to maintain the device’s security posture. With a proactive strategy, resources can be allocated and find mistakes before there is an issue. Ultimately, there can be reduced security risks and overall lower cost associated with security.

Between patients, consumers, regulators, technologists, device manufacturers and healthcare providers, there seems to be hope that each will finalize on a requirements list for delivering secure healthcare. While each stakeholder is rapidly aligning on solving today’s concerns, waiting for a single standard to rule them all will leave you waiting.

Our industry cannot wait for complete alignment, but must deploy best practices today while architecting for the next generation. Security is no longer a nice-to-have, but an imperative. If we only incrementally improve, we will never meet the security needs of our ecosystem.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


link

Leave a Reply

Your email address will not be published.