By Alex Wilson and Andreas Rollmann, Wind River
In conversations with medical device manufacturers about innovation and the major business issues they have faced over the last 12 months, one topic stands out, having come up in every discussion: security, whether device security or cybersecurity. The majority are adopting a “good enough” approach that leaves them unprotected at some point of the device lifecycle. Most software team leaders are well aware that this simple security protection is limited or outdated, and that the overall security approach does not answer current or future demands.
Executives agree that device security is extremely important, and they are concerned about being called out as the next company whose product security has been compromised. According to a recent survey, 65 percent of companies think that their organization faces a significant level of security risk – from the use of mobile, IT security and cloud-based solutions in the enterprise. Despite this awareness, many have not defined an overall strategy with concrete actions, nor have they built a business justification to allocate budget to implement such a strategy. There are various reasons for this slow progress, including lack of understanding at the top levels of management, insufficient budgets, internal expertise gaps, stretched software developer resources, absence of a specific person responsible for device security, and the complexity of regulatory requirements.
Medical devices and regulations
Device manufacturers used to have the luxury of stipulating that their devices would be deployed only on a network secured behind a firewall. Recent thinking has become more realistic, accepting for example that not every hospital network that is supposed to be secure truly is secure in practice. IT staff in hospitals, just as in other industries, struggle to keep their networks patched and up to date. Increasingly, they are asked to connect greater numbers and more diverse types of devices to that network, and now to cloud-based services outside of the hospital, resulting in many exceptions to the original rules of deployment. In fact, recent evidence suggests that even being behind the firewall no longer means being in a safe haven from a security perspective, with rogue devices and poor security procedures in place in many establishments. Medical devices are also being deployed beyond the hospital walls in long-term care facilities or in the home, where there are no IT departments to build a security process and a secure network.
The Food and Drug Administration is taking cybersecurity seriously, and the guidance from October 2014, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, was the first step.
Of note, the guidance recognized several well-known security standards that could be used to achieve this goal, including IEC 80001 and IEC 62443. The recognition of the standards is a good start, but applying them to healthcare devices and infrastructure requires more knowledge and expertise.
For the medical device manufacturer, this does not apply to an individual device independently, but rather to how its device supports and is incorporated into a connected healthcare system that is supporting IEC 80001.
Conversely, IEC 62443 covers many aspects of industrial control systems, but is not specific to medical devices. So there needs to be an understanding of how to apply it, and how it can assist in applying a security strategy that meets the end user requirements in order to incorporate the device into an ISO 80001-based healthcare system.
The FDA guidance was also augmented in December 2016 with Postmarket Management of Cybersecurity in Medical Devices, which addresses cybersecurity risk management for deployed devices, and also states that an effective cybersecurity risk management program should address cybersecurity from medical device conception to obsolescence. It is recommended that manufacturers apply the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.
Let’s start with the key stakeholders in the development and implementation of a successful security strategy, discuss their main pain points, and look at their goals.
Medical device manufacturers
Device manufacturers have to make sure they build competitive devices that meet ever-changing regulatory requirements, especially around security. They must quickly find answers to the following questions:
How can we implement a security strategy that:
is clearly and effectively messaged to medical device manufacturers, their sales organization, and their customers?
meets both the end customer requirements (such as IEC 80001) and local security and disaster response laws (such as Katastrophenschutzgesetz in Germany, or the Federal Disaster Relief Act in the USA)?
supplies all of the correct documentation required by the regulatory authorities?
Do we have trained staff who understand both safety and security requirements for medical devices?
How do we support the IT manager of our customers in implementing an IEC 80001 strategy?
Further, how do we respond to medical device equipment tenders that specify IEC 80001 and provide the necessary information for the end user to remain IEC 80001 compliant?
How do we respond to the hospitals’ requirements, in terms of innovative methods of treatment, latest medical technology, cost-optimized services, or even completely new business models?
Should we consider connected medical devices to support the drive toward smart hospitals?
*How do we address the reservations of hospital operators?
*How do we enable data transfer to these systems, and do we retain data ownership and privacy?
*How do we maintain security when transferring data between these systems?
Healthcare institutions are confronted with a wave of massive challenges:
- Pressure for innovation. Innovation is crucial to survive the competition of hospitals and medical service suppliers.
- Cost management. This is vital to stay financially healthy despite increasing case numbers and decreasing funds in the healthcare system.
- Liability, insurance, and legal requirements. These are constantly increasing, along with demands on IT security, resulting in more complex risk management policies and greater risk aversion (Katastrophenschutzgesetz, IEC 80001).
- Evolving regulatory agencies and norms. These put a stronger focus on connectivity of medical devices (FDA, TÜVs, IEC 62304).
- Implemented IT security. Improved security has become a must in medical devices in order to respond to ever-increasing security threats, even as it increases the complexity of interoperability among medical device manufacturers.
- Data generation. Data can be increasingly used through the IoT to help manufacturers become more attractive, spend less, and gain more new businesses.
Due to the complexity of the regulations for medical device security, it is vital while building a security strategy to engage early on with the certifying bodies. This way the device manufacturer or healthcare institution can confirm that the chosen route to a secure system aligns with current regulatory requirements and that they have taken a path that will lead to eventual approval by the certification bodies. This is just as true for verification and validation of safety systems.
The drive toward digital business transformation requires both medical device manufacturers and end users to consider the new concerns of cybersecurity, in order to meet regulatory requirements and mitigate risk for their company brand and reputation.
Security has to be built into the entire device lifecycle – not only into its design, development, and manufacturing, but also into operational aspects, such as security updates, and how the device will operate in an IEC 80001-compliant healthcare environment. This becomes a crucial part of device manufacturers’ success in operating against competition.