There are many regulatory challenges facing medical device companies, but nearing the top of the list is data protection. Companies are spending resources and dollars to avoid becoming the next company confronting cyber threats and/or data breaches. Medical device companies in particular are under enormous pressure to safeguard sensitive corporate information related to patients and privacy, intellectual property (IP), and the data gathered during clinical testing phases.
The life sciences and healthcare industry as whole has acknowledged that it must embrace corporate governance and drive the centralization of IT compliance oversight. At medical device companies, most IT functions permeate the organization and its processes; therefore, IT compliance is also a process that requires continuous oversight and management. To meet IT compliance obligations, organizations are looking for a structured approach that allows them to identify and prioritize IT controls and establish an enterprise-wide IT compliance program that includes a heavy emphasis on cybersecurity. Having a structured approach is important for compliance with the various standards and legislation, such as the U.S. Sarbanes-Oxley Act of 2002, ISO 27001 and ISO 27002 standards, the European Union (EU) Directive General Data Protection Regulation, and more.
FDA recently set out voluntary guidelines intended to educate healthcare entities and medical device manufacturers on potential cybersecurity threats in the industry. The guidelines advise that threats on the manufacturer may surface in both the design and development of their medical devices. The FDA guidelines further suggest that companies conduct their own security testing through each process. While it is difficult for medical device companies to anticipate each and every threat, they are embracing the creation of a risk management framework to help increase security protocols. Some recommended security protocols from FDA include stronger passwords, locks, two-step authentication, automatic logouts for inactive users, and data encryption.
On March 12, Micro Focus (NYSE: MFGP), a leading global enterprise software company, published its fifth annual State of Security Operations Report and revealed an upward trend across all assessment areas. Despite the volume of threats rising, the findings indicate that more mature Security Operational Centers (SOCs) are becoming more efficient in detection with greater ability to recover from breaches. The report also states there is positive momentum in organizations adopting and deploying security solutions.
Mark Vilicich of CentrexIT, a managed IT services provider, commented to this author that the Micro Focus report shows that healthcare is third highest in improvement of Security Operations, with a 7% uptick in 2017. More than half of CentrexIT clients are life science/healthcare companies, and recently the firm found that clients are ready to have the conversations about cybersecurity for their organizations and product offering. “Our top question is whether it’s enough, considering the current security threatscape for patients and their medical devices, physicians, and hospitals,” stated Vilicich. Note that in December, the American Hospital Association (AHA) requested FDA to step up efforts to ensure that medical device manufacturers bear responsibility for the digital security of their products. Vilicich shared that current metrics present the same message: “The medical/healthcare industry last year accounted for more than 23 percent of total breaches in 2017, resulting in the exposure of more than five million patient records,” as reported by Merlin International and the Ponemon Institute with a survey of more 600 executives. According to the survey, 62% have experienced an attack in the past year.
Defining and adopting a coordinated security protocol is crucial to monitor and respond to threats. Safeguarding medical devices starts with executive management embracing a security approach to deliver secure products. Vilicich sums it up nicely: “The reality of cybersecurity is that it’s often a multilayered attack, requiring multilayered preventative actions. Connected medical devices are at the center of a growing panic about cyber vulnerabilities in the so-called internet of things… So, we help them with vulnerabilities, and we help them with resources to increase the general cybersecurity hygiene of their devices.”
Embrace your corporate responsibility before it’s too late.