Cyber attacks are not just a potential threat, they are a reality. It seems that every other week a cybersecurity issue is making headlines globally. We live in an ultra-connected world where medical devices are a big part of what is connected.
When it comes to cybersecurity it’s no surprise medical device manufacturers hold a lot of responsibility. We can’t ignore that any medical device connected to a hospital network or to the cloud may be exposed to some form of medical device cyber attack.
Another challenge lies in the speed at which software changes occur. The responsibility and accountability of manufacturers are not only important during development, but absolutely necessary throughout the entire lifecycle of the device.
What are governments and international organizations doing about medical device cyber attacks?
Governments around the world are working to tackle this issue. In Canada cybersecurity initiatives fall under National Security and Defence, which provides tools and guidance to businesses and private citizens. The US is at the forefront, with the Department of Homeland Security being heavily invested in cybersecurity. There is also NIST (National Institute of Standards and Technology, U.S. Department of Commerce), which works to develop standards and best practices to meet cybersecurity challenges. In the medical device world, the FDA has looked to NIST in developing their own recommendations and has come out with two guidance documents specific to medical devices and cybersecurity.
- Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Guidance for Industry and Food and Drug Administration Staff was released October 2014. The focus is on information the FDA requires in a premarket submission that demonstrates effective cybersecurity management for the device’s software component.
- Postmarket Management of Cybersecurity in Medical Devices – Guidance for Industry and Food and Drug Administration Staff was released January 2016. This document takes a lifecycle approach and provides guidance on how to continually manage cybersecurity concerns once a medical device is on the market.
Both are must reads for device manufacturers who want to enter the US market.
What can manufacturers do about medical device cyber attacks?
Some activities include:
- Conduct risk assessment that addresses cybersecurity risks
- Validate and test software (including off the shelf software)
- Update and strengthen cybersecurity measures for devices on the market. These changes may not necessarily need to be reported to the FDA.
- Validate software changes that address cybersecurity vulnerabilities
- Monitor, identify, and address cybersecurity vulnerabilities in medical devices once they are on the market
- Participate in an ISAO (information sharing and analysis organization) such as NH-ISAC (National Health Information Sharing and Analysis Center) to stay abreast of emerging security risks
New tools for medical device cybersecurity
Manufacturers should stay current when new standards and guidance documents are issued. Earlier this year ANSI (American National Standards Institute) published the UL-2900 series for tackling cybersecurity by providing testing and assessment tools. The FDA will be adopting these standards, which should be in the next round of updates for the FDA’s list of standards. The Standard Council of Canada (SCC) will also be publishing these standards for implementation in Canada. Of particular interest to medical device manufacturers are the following:
- UL-2900-1: Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements.
- UL 2900-2-1: Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare Systems. This standard applies to medical devices, device accessories, medical device data systems and in vitro diagnostic devices.
The main purpose of the UL-2900 standards is to provide testing methods and evaluation criteria for the testing of vulnerabilities, software weaknesses and malware. More specifically the standards look at the following:
- Risk Management
- Core functions of NIST Cybersecurity framework — Identify, Protect, Detect, Respond, Recover
- Documentation requirements
- Quality Management System requirements
- Product assessment (E.g. Vulnerability Testing, Malware Testing, Malformed Input Testing, Penetration Testing, Software Weakness Analysis, Source Code Analysis, Static Binary and Bytecode Analysis)
- Post-market regulatory consideration such as Patch Management and use of CVSS (Common Vulnerability Scoring System)
Demonstrating conformance to these standards will allow manufacturers to provide objective evidence that their products comply with the FDA’s cybersecurity requirements. This makes the UL-2900 standards an invaluable tool for any medical device development team that incorporates connected software.
Focus on medical device safety and risk management has always been the main priority of manufacturers. For devices that contain software and are connected, cybersecurity should now be a pivotal part of safety and risk management. The guidance documents and standards discussed above are indispensable for those who want to make cybersecurity a key part of their software development plan both for safety reasons and to satisfy regulatory requirements.
Deborah Pinchev is the Toronto QA/RA Manager at StarFish Medical. This is her first blog for StarFish.