I recently attended a conference on Medical Device Cybersecurity hosted by MedTech Intelligence held March 23-24, in Washington, DC. It’s evident that cybersecurity is an important concept as attendance, both in-person and remote, was high. Conference organizers lined up a powerhouse group of presenters who are all entrenched in the technology, cybersecurity, legal and regulatory compliance industries.
For two days, attendees had the opportunity to hear from and converse with officials from FDA, cybersecurity experts from the Mayo Clinic and the Medical Device Innovation Safety and Security (MDISS) Consortium, attorneys specializing in life sciences and healthcare and engineers in medical device manufacturing.
For those of you who were unable to attend this event, here are my top 5 takeaways:
#1 Diversity is One of the Biggest Challenges for Cybersecurity
Technology is advancing and so must our ability to understand and control it. One of the biggest challenges with medical device development is diversity. Devices are designed, manufactured and configured using various languages, operating systems and platforms. Organizations using older versions of operating systems, network technology and software applications are more vulnerable to security risks. Given the criticality of cyber protection, product safety and efficient risk assessment, barriers and the unwillingness to adopt advanced technology must be removed.
#2 FDA Advocates Proactive and Collaborative Approach to Cybersecurity
Dr. Suzanne Schwartz, associate director for science and strategic partnerships, CDRH, gave attendees a candid description of FDA’s take on cybersecurity. The emphasis of an organization’s cybersecurity efforts is to protect instead of prevent. “The ability to eliminate a cybersecurity hack is not possible,” said Schwartz. She recommended fostering a culture of continuous quality improvement by implementing a proactive, comprehensive risk management program and engaging in collaborative information sharing.
During her presentation, Dr. Schwartz took the opportunity to dispel a few myths involving cybersecurity in medical device manufacturing:
- Myth: Manufacturers are not permitted to make cybersecurity updates to devices without first going back to FDA for re-certification.
- Fact: Most medical device software changes made solely to strengthen cybersecurity do not require pre-market review or product recall (although there are some exceptions).
- Myth: Cybersecurity of medical devices is voluntary for medical device manufacturers and not enforceable.
- Fact: Medical manufacturers are required by law to comply with all applicable regulations, including the quality system regulations (QSRs). The pre- and post-market cybersecurity guidances articulate that a comprehensive, structured and systematic cybersecurity risk management program is necessary under the Quality System Regulation.
- Myth: The FDA is the federal entity solely responsible for the cybersecurity of medical devices.
- Fact: The FDA works closely with several government agencies including the U.S. Department of Homeland Security, members of the private sector, medical device manufacturers, healthcare delivery organizations, security researchers and end users to increase the security of the U.S. critical cyber infrastructure.
- Myth: Healthcare delivery organizations (HDOs) cannot update and patch medical devices for cybersecurity.
- Fact: The FDA recognizes that HDOs are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.
This article is related to the White Paper:
To get the full details, please view your free White Paper.
#3 Industry Wants Companies to be More Transparent About Security Issues
People aren’t always keen on talking about their problems, particularly when it involves exposing potential weaknesses. The FDA is striving to change that attitude among life sciences industries by encouraging companies to openly discuss their experiences with cybersecurity by instituting the Information Sharing and Analysis Organizations
Forget the perception of a group therapy session, sitting in a circle and first-name-only introductions. The idea behind ISAO, operated by the ISAO Standards Organization
, is strength in numbers as a way to collectively combat cyber adversaries. The intended benefits of the program include:
- Compels companies to look closer at cybersecurity in their own supply chains and devices
- Enables participants to exchange ideas with other companies experiencing similar issues
- Participating organizations have an opportunity to provide input on developing cybersecurity standards
Participation in the program is voluntary and organizations from any sector, non-profit or for-profit are allowed to contribute. The program is still being shaped, but the Standards Organization assures that trust is critical and participants needn’t fear that shared information will be exploited in any way.
#4 Security is a New Stakeholder in Medical Device Development
Medical device design involves gathering requirements that help delineate the product’s architecture and development lifecycle, such as:
- Safety risk controls
- Regulatory standards
- Environment where the device will be used
- End users (human factors)
With the vast interconnectivity of medical devices security now has a seat at the design table, accompanied by its own list of requirements. Many cybersecurity weaknesses are a result of poor design choices and lack of requirements. Having a security expert who is familiar with medical device development review the device’s architecture can uncover weaknesses and even discover more cost effective ways to manufacture the product.
With the vast interconnectivity of medical devices, security now has a seat at the design table @MCMasterControl. http://bit.ly/2oS44r7
There is no such thing as a completely secure device. But with creative planning and design, the level of security can be increased.
#5 Many Vulnerabilities Can be Prevented at the Design Stage
The online world is a hostile environment. Threat actors, ranging from teenage hackers to organized crime organizations, are constantly coming up with new ways to infiltrate computer environments. At the same time, healthcare industries have reached a point of being fully dependent on technology, creating more opportunities for cybercriminals to carry out attacks.
With the immense amount of network-connected computer systems and medical devices, vulnerabilities can exist anywhere—some are inherent in the technology, while others are a result of poor design or configuration choices. Awareness and careful planning can eliminate many of the common security gaps, including:
Authentication: Authentication vulnerabilities include web site configurations that don’t require authentication passwords, use hardcoded or easily guessed passwords or use single account login credentials for multiple users.
- Configuration: Configuration vulnerabilities can result from leaving data transfer protocol functionality (FTP, Telnet, TFTP) operational when not in use, failing to change default credentials and disabling security software.
- Operating system: Operating system vulnerabilities exist when organizations use older operating system versions with no upgrade paths, fail to install patches or install only partial patches, download and implement open source software with known vulnerabilities or breaches.
- Lack of encryption: Information such as transmitted data and source code that is unencrypted can easily be intercepted and even manipulated by intruders.
Cybersecurity is a big topic that we’re all working to get our heads around. Stay tuned for upcoming posts on the conference and cybersecurity in general.
David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.