Security Challenges For Medical Devices - Legislations & Best Practices
In Homeland’s season two, the episode ‘Broken Hearts,’ there’s a successful assassination attempt on the vice president after terrorists hack his pacemaker. While dramatized, this scene shows the potential real-life consequences of attacking medical device cybersecurity vulnerabilities.
Cybersecurity experts agree all medical devices are at risk. Stakeholders in the medical industry need to understand these risks.In this article, you’ll learn more about the risk of cyberattacks on medical devices and the legislation and best practices adopted to reduce these threats.
Manage Your Security Risks According To The HR 7667 Bill
At the core of the H.R.7667 bill is the attempt to extend and revise the Food and Drug Administration’s (FDA) user fee program that raises the FDA’s funds necessary for speeding up device and drug approvals.
The bill gives the FDA the authority to ensure medical device cybersecurity.
To be specific, manufacturers must meet the following minimum requirements to ensure the security of their medical devices. All manufacturers must:
- Develop a plan to appropriately monitor, identify, and address post-market cybersecurity vulnerabilities and exploits in a reasonable time, including coordinated vulnerability disclosure and procedures.
- Design, develop, and maintain processes and procedures to ensure the device and related systems are cyber secure.
- Make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device.
- Provide in the labeling of the cyber device a software bill of materials (SBOM), including commercial, open-source, and off-the-shelf software components.
- Comply with such other requirements as the Secretary may require to demonstrate reasonable assurance of the safety and effectiveness of the device for cybersecurity purposes.
What’s The Impact Of Cybersecurity Attacks On Medical Devices?
It’s no secret that medical devices are critical in ensuring patients access quality health care services.
However, as long as the device has software, can access the internet, and is vulnerable to malicious attacks, it’s the manufacturer and the user’s responsibility to ensure the medical device’s security.
In 2017, the FDA recalled about 465,000 pacemakers manufactured by health tech firm Abbott because of cybersecurity vulnerabilities.
Medical devices like drug infusion pumps and implanted defibrillators are also at risk. For example, in 2020, the FDA released an alert on the cybersecurity vulnerabilities of the Medtronic MiniMed 600 Series Insulin Pump System.
Cybersecurity attacks can lead to the data breach of hospital records or halt a hospital’s operations.
For example, during the WannaCry ransomware attack, several companies worldwide reported data breaches.
In the UK, the National Health Service (NHS) announced the compromise of 70,000 devices, including MRI scanners and theater equipment.
4 Best Practices For Improving Medical Device Cybersecurity
Ensuring medical device security is the responsibility of manufacturers and users. However, medical device manufacturers must develop cybersecurity measures that safeguard a device’s security from its early development stages throughout its lifetime.
Below are some best practices for improving medical device cybersecurity.
1. Advance Coding Standards
Cybersecurity attacks are now more complex and are increasing. As a result, every tech organization, including medical device manufacturers, focuses more on improving their programming languages’ safety and security standards.
Coding standards are necessary because they provide rules, techniques, and the best practices you need to improve your code’s maintainability, reliability, and security.
However, currently, the medical industry has yet to establish coding standards. Nevertheless, manufacturers rely on the coding standards outlined in the MISRA and CERT to develop devices with higher-quality security features and measures.
As a result, manufacturers can now meet the FDA’s medical device security objectives of authorization, authenticity, availability, confidentiality, integrity, and the secure and timely release of patches and updates.
2. Understand Functionality And Regulatory Standards
Aside from manufacturers, governments are key stakeholders invested in ensuring high-quality medical device cybersecurity standards. That’s why today, we have several international regulatory standards that guide the development of medical device security measures.
They include:
- ISO 14971: The regulatory standard that oversees the risk management of medical devices.
- ISO 13485: It’s the quality management systems regulatory standard for medical devices.
- IEC 62304: It’s an applicable safety standard that defines the lifecycle processes of medical device software.
- IEC 61508: It’s a functional safety standard covering all industries and providing a regulatory framework for safety lifecycle activities.
Here at home, the FDA is responsible for providing regulatory guidance. For example, in April 2022, the FDA released a new draft guiding medical device cybersecurity called “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”
The document recommends guidelines on how medical device manufacturers should develop cybersecurity measures for their devices. It then explores how to handle pre and post-market controls and maintenance standards for medical device cybersecurity.
3. Providing Security Assurance
The best way for manufacturers to provide security assurance is by testing the integrity of the medical device security. These tests look for possible security vulnerabilities, feature upgrades, and potential anti-malware controls. Tests can be done in-house or outsourced to cybersecurity experts.
Good test analysis is static application security testing (SAST). It scans the medical device’s source code checking for vulnerabilities in the framework and programming language. It also helps manufacturers adhere to the rules and regulations set in the coding standards.
Another test analysis is software composition analysis (SCA). An SCA test checks for vulnerabilities in 3rd party software and identifies risks in open source licenses.
4. Post Market Software Maintenance
After receiving the FDA’s approval to market a medical device, the manufacturer’s role in enhancing cybersecurity doesn’t end there.
Cybersecurity threats are constantly evolving. Therefore, the FDA requires manufacturers to update their cybersecurity measures once they know potential medical device security threats.
It’s also the manufacturer’s responsibility to develop a software vulnerability management plan that provides guidelines on what everyone should do. In their latest recommendations, the FDA advises manufacturers to keep an eye on the National Vulnerability Database (NVD) for information on potential threats.
Understand Medical Device Security And Legislation
The best practices outlined in this article are essential in ensuring manufacturers comply with medical device cybersecurity legislation and regulatory standards.
If you have questions on how compliance with the H.R.7667 bill will affect you, contact us now for a free consultation.