Medical Devices: Narrowing the Information Security Threat Surface
With the ever-expanding technology ecosystems of organizations, including the proliferation of Wi-Fi-enabled technology and interconnected smart devices, it’s no surprise that cybersecurity risks have increased. With a similar expansion of internet-of-medical-things, medical devices are increasingly at the forefront of potential threats. Last June, the U.S. Food and Drug Administration warned patients and health care providers that certain insulin pumps were being recalled because of vulnerabilities that could allow an outsider to connect and change a nearby pump’s settings. Hackers themselves have been sounding the alarm about these kinds of potential attacks, but doctors, hospitals and manufacturers have been slow to respond, due to limited resources and limited understanding of the threats and risks.
Understanding the Potential Risks
As medical devices become increasingly connected to the internet, hospital networks, and other medical devices, the risk of potential cybersecurity threats becomes more real. Just like computer systems, connected medical devices are vulnerable to security breaches. These breaches could allow unauthorized users to remotely access, control, and issue commands to compromised devices, potentially harming patients. More likely at this point are malware attacks designed to hack private patient data or worse, shut down hospital computer systems and disrupt patient care. It is essential to understand that there are unique challenges with legacy medical devices that are nearing or are at end of their life term. This could mean no updates have been performed in quite some time and the devices are vulnerable. These issues present significant challenges for healthcare IT departments when asked to demonstrate their compliance around remediation vulnerable operating systems.
How to Mitigate Risks
The FDA has continued to issue guidance to address cybersecurity throughout the product life cycle of medical devices, and it primarily remains the manufacturer’s responsibility to assess its own products and implement adequate risk mitigation measures both pre and post market. However comprehensive medical device cybersecurity will depend on shared responsibility across the ecosystem, meaning it’s up to biomedical engineers, medical device manufacturers, and hospitals to work together to devise and implement adequate security measures.
In general, a good risk management plan includes three main parts:
1. Good Governance. It is imperative to develop and implement your own medical device risk management procedures and policies. This can be achieved through participation in industry initiatives that help set security standards and engage with the larger community in the ongoing campaign to educate on emerging risks. Starting with a good framework will help you effectively assess and address cybersecurity vulnerabilities.
2. Ongoing Assessments. Cybersecurity is a fast-paced, ever-changing landscape, so plan to implement continuous, standardized assessments of current and emerging threats to medical devices. In addition to mitigating risks upfront during the design and procurement process, there should be ongoing monitoring of all intrusions or attempted intrusions, new threats, and potential vulnerabilities. Log and report all your findings and perform regular system audits. Does your procurement process, and more generally, your vendor management program do more that gather control reports? Obtaining and evaluating these reports (for example: Service Organization Control reports and Manufacturer Disclosure Statements) for language that presents red flags is a good starting point.
3. Targeted Risk Management. For specific guidelines on medical device cybersecurity risk management, the FDA guidance is the best place to start. But, in general, your risk management checklist should include:
For the device:
· Comprehensive organizational asset inventory
· Appropriate network segmentation for medical devices
· A regulated method for data flow and transmission
· Software update procedures
· Safeguards to protect against device failure
· Physical safeguards for preventing damage and theft
· Regularly assessed and updated security controls
· Limited authorized device access
· Appropriate warnings and procedures concerning cybersecurity included in instructions for use
· Regulatory compliance and risk-hazard assessments conducted at the design, testing and manufacturing stages of product development
· Ongoing current threat analysis and intelligence
For your company:
· A tested action plan in place for a potential cybersecurity breach. Does your Incident Response Plan also consider medical device incidents?
· Patients, doctors and health care networks are trained on cybersecurity protocols and practices, including an emphasis on safe email practices
· Patients, doctors and health care networks can be easily contacted for security updates and alerts
It’s critical to work with cybersecurity experts and legal counsel to make sure all medical device cybersecurity vulnerabilities are being addressed. If you’re looking to implement or assess your own risk management plan Beckage PLLC has a team of experts working at the intersection of healthcare, law and technology. This unique background allows us to advise on cutting edge and emerging technologies with the practical know-how related to health law.
Attorney Advertising: Prior results do not guarantee a similar outcome.