Over recent years, medical device cybersecurity has become an area of increasing strategic focus for manufacturers as devices have evolved to include more features – features that often rely on connectivity and thus allow for a wide range of potential vulnerabilities.
The FDA has taken notice as well, placing increased emphasis on monitoring and regulating medical device cybersecurity. As recently as October 20, the FDA approved a tool for evaluating and assigning scores to potential vulnerabilities in medical devices and IT systems.
Last year, the FDA warned patients and health care providers of cybersecurity risks of certain insulin pumps on the market to the point of advising patients to replace the pumps. The cause of the public warning was due to a vulnerability that was discovered which allowed a skilled hacker to send RF signals to a nearby insulin device in order to change settings that impacted insulin delivery which could lead to significant harm to the patient or even death. Although no patient harm was reported, it served as a stark reminder of the potentially dangerous threats posed. It is of utmost importance for medical device companies to not only review internal risks but also, not to assume third party software components are bullet proof. IPnet, is a third-party software component that was identified to contain 11 urgent vulnerabilities that would allow a hacker to take complete control of the device using this component. In one case, it was demonstrated that a hacker could even take over a patient monitor.
The FDA allows medical devices to be marketed when there is reasonable assurances that the benefit to the patient outweighs the risks. However, cybersecurity risks are ongoing threats to devices so the target is constantly moving. Furthermore, as more and more devices are designed to transmit patient data to health care teams using mobile devices, the amount of patient data being hacked is growing exponentially.
Medical Device Cybersecurity Risk Management
Medical device companies should include cybersecurity measures in their risk-based approach to design and development that mitigate patient harm from cybersecurity exploits. These measures include employing strict and limited authorization to the device, maintaining code integrity by using cryptographically verified software/firmware updates, using level 2 encryption and designing the device to detect cybersecurity events. Using modern authorization techniques for strict authorization to the device such as multifactor authorization is just one way of hardening your device security. Multifactor authorization is common place on desktop applications, but rarely found in medical devices. Trusted digital certificates is a great use of Public Key Infrastructure (PKI) for allowing devices to digitally sign firmware updates to ensure only trusted updates are installed. FIPS-2 encryption is a standard that is best addressed early in the design phase in order to use quality by design (QbD) principles in new product development . Finally, building in algorithms to detect intrusion such as developing behavior-based rules that use machine and regression algorithms to detect network level intrusions as well as anomalies in sensor data are great ways to detect intrusion and proactively fold into your continuous improvement plan.
Cybersecurity risk management is a process consistent with 21 CFR Part 820 where a manufacturer should establish, document, and maintain an ongoing process for identifying hazards associated with the cybersecurity of the medical device throughout the device lifecycle. Elements of an effective post market cybersecurity program include the ability to identify threats and deploy defense-in-depth strategies to protect against threats.
Moving forward, medical device companies must ensure a stringent approach to medical device cybersecurity. Throughout the COVID-19 pandemic, there’s been a multi-industry increase in cybersecurity risks. The healthcare sector alone is estimated to have seen a 150% increase in cyber attacks as hackers take advantage of vulnerabilities in systems and devices amidst the pandemic. Without a sound approach to effectively managing medical device cybersecurity, manufacturers will not only incur significant impacts to their business but the health and safety of the patients they’re committed to serving.