It's no secret that medtech is in the crosshairs of cybersecurity risks.
In July 2018 Guardant Health experienced a phishing attack that compromised private information about more than 1,000 individuals. Medtronic received a stern warning last year from the Department of Homeland Security that there were cybersecurity vulnerabilities related to the company's N'Vision clinical programmer used in conjunction with certain neurological implantable therapies. FDA has responded to cybersecurity concerns like these with formal guidance, and cybersecurity is one of the reasons the agency wants to modernize its 510(k) clearance pathway.
"Going back five or 10 years ago, researchers started showing that it was possible to hack into medical devices and possibly cause the patient harm," said Steve Abrahamson is Senior Director of Product Security at GE Healthcare. "... It's never actually happened in the real world, but it is very terrifying to people because it could happen in theory."
Abrahamson recently shared his insights on the subject of cybersecurity during a presentation at MD&M West 2019 in Anaheim, CA.
"There's a shift in mentality when we think about security for medical devices," Abrahamson said. "In traditional safety risk management, we're protecting people from malfunctioning devices. When we think about cybersecurity risk management, we're protecting devices from malfunctioning people."
While there are a number of challenges involved with protecting medical devices from hackers, Abrahamson shared the following "must haves" that hospital organizations are looking for from medical device manufacturers: Devices with built-in product security; security-aware purchasing contracts; and an organizational support plan.
"They want devices with built-in product security. They're actually baking security requirements into their purchasing contracts, so I spend a lot more time than I want to working with our sales and contract team on negotiating terms with our customers and how we will support security within the products that we're selling. And also organizational support, how are manufacturers going to work with users of devices to make sure that products are going to be supported throughout the lifestyle."
Perhaps one of the biggest takeaways from Abrahamson's presentation is the importance of addressing cybersecurity risks across every major function of the organization.
"In many cases, security in the technology area is viewed as an engineering problem," he said. "Yeah we have smart engineers, they'll figure out how to solve this, but it is not an engineering problem. It has a lot of engineering-based solutions, but it can only be solved by a multifunction approach including engineering, service, product management, and the commercial side."