- Why Us
Technological innovations in and around the medical device industry have made it possible for companies to create devices that deliver improved treatments, more precise diagnostics, advanced data reporting abilities, and overall better patient monitoring.
Unfortunately, these rapid advancements have also bred new, challenging security threats to the medical device industry. With cyberattacks becoming increasingly common and complex, many industry experts are expressing concerns over the potential security risk for medical devices.
Let’s take an in-depth look at three of the biggest challenges for medical device security today, as well as three solutions that may help avoid a cyber catastrophe.
Though medical devices are intentionally designed for safe operation, they rarely come equipped with protections against cyberattacks such as firewalls, two-factor authentication, or intrusion detection.
That’s not due to lack of care; up until recent years, medical devices were simply not considered to be a huge target for security breaches and attacks. However, patient data and private records have proven to be quite the desirable target of hackers.
Even if the device or software isn’t used to store any patient data, hackers may see devices with low security measures in place as an entry-point to gain control of large healthcare databases and hospital systems.
Regulators are taking steps to address these concerns over medical device security. In 2019, FDA issued a warning concerning a line of insulin pumps after the discovery of a vulnerability that would potentially allow hackers to change the amount of insulin released.
Connected devices must be designed with security best practices in place. This is precisely why FDA released two guidance documents to help manufacturers accomplish this in the premarket phase:
The following is a non-exhaustive list from FDA of the ways manufacturers can increase protections for medical device security:
Restricting unauthorized access to medical devices
Implement firewalls that are both adequate and up-to-date
Monitoring network activity for unauthorized use
Disabling all unnecessary ports and services
identification of off-the-shelf software, if appropriate.
Virus protection when necessary
Encryption of sensitive data
According to FDA guidance, the onus ultimately falls on the manufacturer to ensure medical devices are designed with cybersecurity top of mind. Additionally, FDA guidance strongly recommends manufacturers adhere to ISO 14971 for risk management.
One of the greatest benefits of utilizing Internet of Medical Things (IoMT) technology is the opportunity for remote patient monitoring. By connecting devices to one another and allowing for the collection and transfer of data, medical device companies can potentially give caregivers and health networks the ability to provide better and more affordable care.
This is a process also known as interoperability, or the ability for the digital sharing of health-related data between multiple organizations and stakeholders. However, with so many connected devices communicating with one another, this also presents the potential for replication attacks.
Replication attacks occur when a hacker captures vital credentials and security keys from one device connected to a network, also known as a node, and is then able to reuse that information to gain access to all other devices on that network. This is essentially a form of identity theft, but instead of impacting one individual’s account, it’s used to control an entire network.
The risk for this exponentially increases with every new stakeholder and device. This is especially true when we consider the number of organizations and users involved in large-scale healthcare networks.
Replication attacks can be fought off with two important security initiatives on the device side of things. The first is with meticulous inventory management systems. Tracking devices and users is a highly effective way to spot security gaps where would-be cybercriminals might try to attack.
While inventory management is a responsibility of providers and healthcare organizations, there are also regulatory requirements for manufacturers. Unique Device Indicators (UDI) are an excellent way to assist buyers with their own inventory systems.
In fact, FDA has also issued more recent final guidance for the inclusion of UDI numbers for SaMD manufacturers. All SaMD must have UDI information via plain-text statements displayed each time the SaMD is started and/or via plain-text statements displayed through a menu command.
There is some labeling differentiation depending on whether software is sold as a package or not; nevertheless, this approach should allow manufacturers to provide a sense of order for their customers. With these numbers being assigned and referred to on a global level, the inventory control needed to prevent replication attacks should be well-established.
The second prong, here, is network segmentation. This computing principle separates out devices into grouped, private wireless networks so that if a cyberattack were to occur, the bulk of data would still be stored elsewhere.
Network segmentation can be achieved through a number of approaches, including firewalls and multi factor identification. However, with cyber attacks becoming more sophisticated every day, modern network segmentation for medical devices requires the use of a couple essential technologies: virtual LANS, which separate traffic at the switch level using basic permissions logic, and subnets, which restrict and manage traffic at the IP level.
Of course, with all cybersecurity strategies, hospital organizations and providers will need to determine the scope of services and devices that will be residing on it. Once these are defined, it should be easier to visualize breaking them out into relevant groups.
Routine updates and security patches are a necessary part of any software product’s lifecycle.
However, unlike the updates on non-medical devices like laptops or smartphones, the stakes are much higher when it comes to updating medical device software; in extreme cases, a cybersecurity snafu could mean patient harm or even death.
For that reason, manufacturers deploying software updates cannot afford any missteps. If the software update to a pacemaker causes the device to suddenly drop offline or malfunction, it could prove fatal. The same is true for lower-risk devices that experience a failed update, which may result in inaccurate diagnosis or misguided treatment.
On top of that is the added risk of exposure to hackers and malware that take advantage of vulnerable, unprotected devices as an update is being deployed. Releasing security patches for a network of connected devices requires downtime, and without proper security measures or network segmentation, it could prove to be the very chance cybercriminals are waiting for.
When it comes to postmarket regulatory controls, it is once again the manufacturer who shoulders much of the load. Postmarket controls in medical device software is spelled out in the guidance document, Postmarket Management of Cybersecurity in Medical Devices.
In this guidance, FDA advises manufacturers to implement comprehensive cybersecurity risk management programs and follow all best practices for documentation laid out within 21 CFR Part 820 (QSR).
The risk management and mitigation practices found in FDA’s QSR call for manufacturers to monitor and test for security vulnerabilities, and encourage the use of AI if possible as a way to predict or at least mitigate the changing landscape of cybersecurity.
It also requires documented cybersecurity risk management programs that conform with ISO 30111, a standard that covers threat modeling, which indicates the severity of potential harm against patients with a classification system of negligible to catastrophic.
However, updating software needs to involve more than just complying with regulations; manufacturers need to conduct an aggressive risk assessment during software validation and for every update deployed.
Navigating the world of medical device regulations is no easy feat. As cybersecurity continues to garner more and more attention in the medical device industry, so too will new security threats.
With your patient data and customer records in high demand from cyberattackers, you must ensure the best design control and documentation management systems are in place throughout the lifecycle of your medical device.
Greenlight Guru is the only medical device QMS that is built specifically to meet the unique needs of the medical device industry. The purpose-built solution seamlessly integrates dedicated workflows for design controls, risk management, and document management to give users the security and protection needed to keep your device and its end users safe from harm.
Ready to get started? Schedule your free personalized demo of Greenlight Guru today →
Looking for an all-in-one QMS solution to advance the success of your in-market devices and integrates your post-market activities with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →
Tom Rish is a Medical Device Guru at Greenlight Guru who works with customers to utilize their QMS software to build safer products on expedited timelines. He is a Biomedical Engineer who began his career developing implant and instrument systems in the orthopedic industry. He enjoys helping customers successfully...