Medical device manufacturers need to activate their own processes to adequately anticipate and mitigate the safety, security, and business risks that come with connected medical devices.

By Scott Sheaf

Connected medical devices are opening up new possibilities for patients and providers—and introducing new risks to patient safety, data privacy, and IP protection.

At Black Hat 2014, held in Las Vegas in August, the Medical Device Security Roundtable attracted more than 100 attendees eager for answers. But if they came looking for answers, what emerged were more questions that the industry must address—and soon.

Here are five key questions that medical device manufacturers should be asking themselves now.

Are Existing Regulations Enough?

So far, FDA’s position has been that the industry should be able to use the existing regulatory framework (primarily ISO 14971) to manage cybersecurity risk for medical devices. But roundtable attendees at Blackhat brought up a number of questions the current framework leaves unanswered. FDA has issued a draft guidance document for device cybersecurity. Also, an AAMI working group is developing a TIR called Principles for Medical Device Information Security Risk Management, scheduled for release next year, which should help. But manufacturers should not wait for new legal regulations to guide them in developing cybersecurity protocols. In order to adequately protect themselves from risk and liability, manufacturers will need to develop their own best practices for risk assessment and mitigation.

Do My Risk Management Protocols Cover Security Risks?

Most medical device manufacturers have done an excellent job of developing protocols to identify and mitigate safety risks, such as electrical components that present a shock risk or poorly designed controls that could lead to an accidental overdose. But companies must recognize the difference between safety and security within their existing risk management processes, and keep both kinds of exposure in mind. As more medical devices are connected to hospital networks, to the Internet, and to each other, we introduce new risks to patient safety and privacy. What kind of data does the device send and receive, and how is it encrypted? What kinds of patient safety risks would be introduced in the event of a disabling Denial of Service (DoS) attack or introduced virus? Does the device open a backdoor into the hospital network? Developers must look at all of the potential risks introduced by connected devices and establish cybersecurity risk management protocols that are both comprehensive and testable.

How is Device Cybersecurity Different from Network Security?

Often, cybersecurity is considered synonymous with network security—but when it comes to medical devices, the two aren’t the same thing. Medical devices have a very different security profile, and network security experts aren’t necessarily prepared to assess device security risks. Bluetooth or Wi-Fi connections and network ports on medical devices introduce different kinds of risks. Portable medical devices can also be carried away and taken apart—allowing skilled agents to reverse engineer hardware or firmware to discover potential vulnerabilities. Once discovered, these vulnerabilities could be used to sabotage the device itself, or to pivot into a hospital network to steal financial data or introduce a virus. Manufacturers need to look beyond network security measures and look at the unique risks presented by each individual device.

What is My Obligation to Support 'Responsible Disclosure'?

If an outside security researcher, medical provider, or end user of your device discovers a security risk, will they know how to inform you? And will your people know what to do with the information? Risks uncovered by outside agents, accidentally or through deliberate probing, can expose manufacturers to liability if they do not have a publically accessible reporting mechanism and clear internal procedures for investigating and mitigating reported risks. Developing a clear internal policy for responding to disclosures, and making both the policy and the reporting mechanism easily visible for the public, can help companies reduce their exposure.

How Do I Prepare to Meet Emerging Regulations Worldwide?

While FDA’s draft guidance has left medical device developers with many questions, the United States is at least starting to address the issue. Europe, Asia and other world markets have provided limited (if any) guidance to date. Medical device manufacturers need to start looking ahead to anticipate how regulation will evolve in these markets. In the meantime, they are on their own to establish stringent cybersecurity standards and testing protocols that identify potential risks and protect them from liability.

While regulatory agencies work to catch up with the new technology, medical device manufacturers need to look beyond their own industry for answers. Traditional technology companies have been grappling with the realities of living in a connected world for years: how to weigh risks and benefits, how to stay one step ahead of the hackers, when and how to disclose vulnerabilities, what kinds of corporate policies can help, and when it’s best to call in an expert. Benchmarking cybersecurity assessment, testing, and mitigation practices against those in other industries may provide insight for medical device manufacturers.

A comprehensive security risk management plan needs to address three critical aspects of cybersecurity:

By putting these protocols into place, developers can protect patients from potential harm and minimize legal and financial risks.

Perhaps the biggest takeaway from Black Hat is this: medical device developers can’t wait for government to mandate a risk management framework. Device manufacturers need to activate their own processes to adequately anticipate and mitigate the safety, security, and business risks that come with connected medical devices.

Scott Sheaf is senior software engineer at Battelle.

[image courtesy of STUART MILES/FREEDIGITALPHOTOS.NET]