Connectivity in Medical Devices
Cybersecurity and Risk Management Principles
29 May 2020
Medical device manufacturers are driven by improving features, functionality, and accessibility that contribute to greater patient care. The incorporation of communications technology into medical devices offers increased potential for monitoring, alerting, collecting and analyzing medical data, controlling medication dosing, and even assisting doctors during surgery.
While the inclusion of computer components and connectivity is certainly leading to greater patient care, it also exposes medical devices to the same cybersecurity struggles that traditional information systems have always faced. As other industries made similar transitions to connectivity, manufacturers that lacked a real process to address cybersecurity were most exposed during times of change. As medical device manufacturers implement more features through connectivity, their exposure to the cyber threat landscape also increases.
The US Food and Drug Administration (FDA) has recommended that cybersecurity design and validation should be considered as part of the process currently in place for submissions that include software components. As the FDA continues to align their standards with other industries, the necessity to consider and implement cybersecurity in medical devices will move further into real compliance and conformance requirements.
Further, states like California and Oregon have established laws that require manufacturers to equip products with a minimum baseline of cybersecurity in any product with some connectivity. Medical device manufacturers should be prepared to demonstrate compliance with these types of laws as they are implemented by more jurisdictions.
Aligning Cyber and Safety Risk
Medical device manufacturers are familiar with assessing and controlling risk, following the process specified in ISO 14971, and presenting the results to regulators. Creating a parallel process for cybersecurity is strongly recommended.
- Start with a cybersecurity risk management plan.
- Define criteria for acceptable levels of risk across relevant categories, including loss of data, patient information, and safety.
- Understand and document the intended use environment. Devices implanted in humans, devices supporting research in universities, and devices performing surgeries in hospitals all have different risk profiles.
- Perform a cybersecurity-specific risk assessment of the device. Use techniques that exist for traditional information security and apply them to the device as if it were an information system (it is!).
- Where risks are found and determined to be unacceptable, design and implement features that mitigate the highest risks.
- Align the process for cyber risk with the process for safety risk.
- Feed security risks with potential safety impact and security design controls affecting safety into the safety file; feed safety design controls affecting security into the security file.
Benefits of Formal Risk Management
What is the impact on safety if a medical device has cumbersome security features that get in a doctor's way during an emergency? What are the cybersecurity risks inherent in implanted life saving devices that require a connection to the cloud to perform data processing? Without a formal cybersecurity risk management process, cyber risks cannot be quantified.
As medical devices enter the connected arena and are exposed to unfamiliar threats including hackers and organized crime, what is the current exposure to existing and future vulnerabilities? What stands to be lost in terms of assets such as patient data and safety? What is the plan to navigate legal and regulatory requirements?
Find out how Intertek can help secure medical device connectivity through risk planning, management and assessment through our information page.