For medical device manufacturers, technology is a double-edged sword. The technologies that elevate the quality of life for patients can be used by cyber actors to undermine both the manufacturing organization and the products themselves. This means cybersecurity is as much a quality issue as it is a security issue.
Preventing all security threats and attacks is simply not possible. Therefore, the focus needs to shift from prevention to rapid detection, risk analysis and recovery. To further complicate things, cybersecurity is not just about technology. There is a human component involving users’ online activities that companies need to address with cybersecurity polices. This is where an electronic quality management system (EQMS) can be a valuable asset for assisting with your cybersecurity efforts.
Cybersecurity Fire Drill
Here is a not so hypothetical scenario. The IT department at a medical device manufacturing company just detected a security breach. The IT staff springs into action and starts working to isolate the vulnerability as well as contain and mitigate the breach.
Any number of vulnerabilities can exist on an organization’s network infrastructure, especially with the growing number of remote laptops and mobile devices. Unfortunately, it’s getting easier for cyber actors to hack into networks. Tools that can scan and discover a computer system’s vulnerabilities can easily be found online. In many cases, an intrusion can exist on a network for weeks or months before being detected.
Resolution is an All Hands Endeavor
A security breach impacts the entire organization. Depending the company’s incident response plan, a lot of things need to happen in a short amount of time to resolve the situation with the least amount of impact on operations and deliverables.
To determine the nature of the breach, the IT department needs to review network activity logs and data. This helps identify anomalies and suspicious activities to help pinpoint when, where and how the intrusion occurred.
Meanwhile, executive managers, along with the corporate communications department need to consult with the legal team on a policy for informing customers and other stakeholders. The quality staff needs to perform impact and risk assessments and consult with regulatory officials to keep them apprised of the recovery process. All of these different departments need critical context about the attack and extent of damage from the IT team in order to set priorities and make decisions.
As with many companies, most internal organizations are siloed. They rarely acknowledge one another, much less share information. Still, people throughout the organization are pulled from their ‘day jobs’ to deal with the incident so a speedy recovery is in everyone’s best interest. However, with a security incident, people are under pressure and that’s when mistakes can happen. How do you get these disparate department heads to come together and achieve an agenda?
Fortunately, being a regulated organization, this medical device manufacturer uses an electronic quality management system (EQMS). All data organization, routing and reporting tasks are automated, and the different types of information each organization needs is compiled and prioritized in a centralized repository. Each department and stakeholder can retrieve relevant data and generate customized reports, giving them the ability to make faster and more informed decisions. The EQMS fosters the much needed collaboration and the different departments aren’t even aware of it.
This article is related to the ToolKit:
To get the full details, please view your free ToolKit.
Cybersecurity incidents usually compel a company to shore up its borders and pursue continuous improvement to prevent further intrusions. This includes striving to adapt to the changing cybersecurity environment. Organizational leaders need a way to understand cybersecurity threat intelligence to assess how risks are identified and managed.
With an EQMS, the company can compile and organize risk analysis data for multiple risk types, including the network infrastructure, workflows and documentation. This data helps ensure that sufficient protection is in place at each stage of data transfer, processing and storage.
Employee Awareness and Training
As mentioned, cybersecurity is not just about technology. Given the complex nature of cybersecurity, all employees should be aware of the latest trends and hacking techniques. Many vulnerabilities can be eliminated through employee awareness and training.
Following the breach, the company drafted new policies regarding users’ network activity that address:
- Accessing unsecure and potentially corrupted web sites
- Opening and responding to emails from unknown senders
- Linking non-company mobile devices to the company network
- Bypassing corporate IT administrative gates on software downloads (shadow IT)
- Using portable storage devices and taking them out of the building
- Creating easily hackable passwords and sharing passwords
In addition to the new policies, all employees are required to participate in regular cybersecurity training programs. Again, the company’s EQMS integrates with all quality management processes, including training. It’s easy to incorporate the updated policies and new training programs into its automated quality management training structure.
In order to effectively combat the ongoing cybersecurity threats, there needs to be a clear definition of the responsibility for infrastructure, policy development and communication. To achieve this, regulatory agencies along with cybersecurity experts strongly advocate effective and unified collaboration across the enterprise.
What has been your experience with cybersecurity incidents? Please comment below.
David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.