How to Mitigate Cybersecurity Risks for Your Medical Device

"Cybersecurity is IT's problem." That approach is no longer valid.

David Reich and Steven McAleer, Foliage

Medical devices are becoming ever more connected--with health system networks and the Internet, with data repositories and analytics engines, and with other devices. While this "connectedness" can add tremendously to their clinical value, it also makes them more vulnerable to cyber threats.

This stark reality is not limited to healthcare, of course. According to the World Economic Forum Global Risks report published in January 2016, 90% of companies worldwide recognize they are not sufficiently prepared to protect themselves against cyber attacks.This perception has been reinforced by numerous high-profile security breaches at major corporate and retail organizations that have compromised the personal data of millions of consumers.

The Center for Strategic and International Studies estimates that cyber crime costs the global economy more than $445 billion per year.

Threatening Patient Safety

In the healthcare arena, there's a critical difference, as cyber crimes could potentially threaten not just the integrity of personal data, but patient safety, as well. In July of 2015, the FDA issued a safety communication alerting health systems to the potential cybersecurity vulnerabilities of a particular infusion pump. Citing a risk of unauthorized system access, the FDA communication urged healthcare organizations to disconnect the device from their networks and transition to alternative systems.

In 2014, the FDA published guidance focused on incorporating cybersecurity into medical device product development.This guidance, coupled with recent and pending legislation, is increasing the manufacturer's liability and enhancing penalties associated with cybersecurity breaches. This has changed the landscape of healthcare product development accountability. An organization's failure to perform adequate due diligence can result in higher penalties in the event of a breach. Beyond the issue of the loss of highly sensitive data, the FDA's escalated interest is predicated on the fact that these types of breaches create the possibility of serious patient injury, or even fatality.

Healthcare providers are also focusing accountability on device makers. Many are now asking device suppliers to execute legal business associated agreements (BAA) which share or even transfer the liability of a data breach to the supplier, if the device is found to be culpable. This highlights the potential for business risk for device manufacturers, ranging from financial losses to business disruption to irreparable damage to brand equity--on top of the potential for legal and regulatory action resulting from negligence to proactively address the risk of cyber threats.

Reframing the Problem

Compounding the potential risk is the mindset many healthcare device manufacturers have about cybersecurity. The conventional approach focuses on protecting a company's network and technical infrastructure. In other words: "Cybersecurity is IT's problem." That approach is no longer valid.

Medtech companies need to think differently about security as it relates to their products, their business risk, and their customers and patients. With today's complex, interconnected medical devices, cybersecurity cannot be an afterthought; it must be integral to the product. Security must be a central concern starting right from the very beginning of system architecture and continuing through the entire product development lifecycle. Security should be a central focus not just for engineering, but for stakeholders at all levels across the company--from the board room and risk management to R&D, legal and public affairs.

Steps for Reducing Risk

Taking on cybersecurity can be intimidating for device companies for which security is not a core competency. However, effective cybersecurity can be achieved by companies that are willing to take the necessary steps to reduce risk factors and ensure compliance. Conducting a thorough risk assessment, properly developing a structured plan, and then closely following that plan are all critical steps for mitigating organizational exposure through a successful cybersecurity implementation.

Identify the Product's Acceptable Risk Level

Since there is no proven method to eliminate all risk, defining the acceptable risk level is necessary for determining effective security controls. Without a definition of acceptability, investments in security are not guided and can result in investments without a return. To determine this new definition of "done," the product's risks must be itemized by considering the following questions:

By quantifying the impact of these potential harms, companies can identify critical vulnerabilities. An organization may have cybersecurity controls already in place, and these existing controls can be enhanced and aligned to directly protect against the identified vulnerabilities. This is critical for mitigating safety risks and for controlling the associated adverse legal and business risks.

Continually Assess Cybersecurity Risks

It is crucial to evaluate risks and appropriately update mitigation measures throughout the product development lifecycle. This process will likely have an impact on several artifacts in an organization's quality management system (QMS), but it also involves a significant educational effort within the workforce. Product development teams must understand what to look for and be well versed in secure development strategies. This may seem a daunting challenge for many organizations. However, encryption, digital signatures, and other technical controls have an abundance of prior art that can be used to support the process.  

In order to achieve meaningful progress towards ensuring cybersecurity, organizations must fill the identified gaps. Depending on the complexity of the product's architecture, this may not be a trivial task. The initial risk assessment is an extremely valuable input to this activity.  Based on the acceptable risk level, product developers are able to design products that protect not only patients, but medtech companies as well. Security controls can be assessed so those that do not reduce identified risks will not be added, thus focusing development investments on activities that will yield a return.   

New Risks, New Approach

In today's hyper-connected world, security attacks are a reality. As healthcare products become more connected--and as cyber attacks grow in frequency and ingenuity--the risk posed by cyber threats is increasing significantly. Much is at stake, from revenue loss to product recalls to patient safety and brand tarnishment; or worse, the risk of a regulatory body shutting down business operations. And the greatest risk of all to medical technology companies may be the "unknown risks"-- cyber vulnerabilities that are overlooked due to insufficient forethought or expertise.

These risks exist not just with new products in development, but also with existing products. The FDA issued draft guidance recommended that manufacturers "monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices." This is in addition to the FDA's premarket guidance for management of cybersecurity in medical devices.

To effectively manage the cybersecurity risk, business leaders--from chief executives and risk management officers to legal and technology leaders--need to ask themselves some important questions:

Answering "yes" to these critical questions requires that medical technology companies change their approach and make cybersecurity a central focus of their product development and support strategy. By creating a culture of security awareness that permeates the entire organization, augmenting in-house expertise when and where it is needed, companies will be well positioned to reduce cybersecurity risk--and to earn customer trust, a major competitive advantage.

Foliage, part of the Altran Group, is a global product development company partnering with clients to address the business and technical challenges inherent in developing, manufacturing and supporting complex, connected systems. 

[Image courtesy of ruoaa on Pixabay]