Five steps manufacturers must take now

Today’s medical devices connect to each other and to hospital networks in more ways than ever before. This connectivity greatly benefits patients and healthcare workers, but it also opens up new avenues of risk.

In some cases, hackers may be able to harm patients directly by hacking into a medical device and tampering with data or programming. While preventing these types of attacks is critical, the more likely risk may be in using medical devices to break into a hospital network or database. Unprotected devices present a weak link hackers can exploit to gain access to sensitive medical or financial data, disrupt hospital operations, or launch data ransom attacks. Developers of connected medical devices need to consider cybersecurity, even if the device cannot harm patients directly.

The Identity Threat Resources Center (IRTC) reports that cyber-attacks on the medical/healthcare sector account for 42.5% of reported data breaches, more than any other single industry. Hospital purchasing agents are increasingly aware of these threats, and many have added cybersecurity requirements into purchasing guidelines. With more mHealth apps and connected devices entering the market, the FDA also has taken notice. The FDA’s Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (http://goo.gl/sWxU2r) provides draft guidance for the industry. As the industry evolves, expect cybersecurity to be part of new FDA regulations for medical apps and connected devices.

Product lifecycle considerations

What can device developers do to protect themselves from liability and reduce cybersecurity risks for users? Cybersecurity is not a one-time proposition. Effective approaches must carry through the entire product development process, from initial design to post-market monitoring. Here are five steps of cybersecurity at each phase of development that medical device manufacturers can take to protect themselves and their users.

Pre-design: Manufacturers should start by gathering requirements and expectations around cybersecurity from stakeholders such as hospital procurement and IT departments. Increasingly, hospitals are writing such requirements into purchasing contracts and holding manufacturers accountable if devices are implicated in security breaches. Manufacturers must be prepared to provide documentation on security plans and specific precautions taken for each device. Many hospitals will no longer consider devices that cannot produce adequate security documentation. It helps to know ahead of time what is needed from a cyber-documentation.

Design process: Cybersecurity needs to be built into the design from the start. Manufacturers should conduct a device-specific threat assessment and revisit it throughout the design process. Threat assessment should include characterizing, modeling, and measuring potential threats specific to the device. Cybersecurity experts look at the ways the devices are connecting and the kind of data they are sending and receiving. How is data stored? How is it exchanged? Can the running code be updated? Looking at these points of connection gives important clues in evaluating how patients and their data may be put at risk.

Threat characterization also involves identifying potential threat actors. Who would want to break into the device, and why? What would they be able to do if they could introduce changes to the code? Threat-modeling helps developers determine what risks and vulnerabilities exist in devices and how to mitigate them. Once threats are characterized, manufacturers must make appropriate mitigation decisions. This doesn’t always mean ramping up security to the highest level; there could be a tradeoff between usability, safety, and device security to be evaluated. Developers must pick a cybersecurity baseline that balances risks against usability needs. Also, remember that cybersecurity design is an iterative process; developers should revisit vulnerability assessment during the design process and make adjustments as necessary. It’s significantly less expensive to make these adjustments during the design phase than during prototyping or final testing.

Prototyping: At the prototype phase, developers should put cybersecurity measures to the test. Essentially, this means allowing security experts to intentionally try to break into the device. Penetration testing sometimes involves a process called red teaming in which cybersecurity researchers plan attack scenarios and observe what happens when there is an attempted hack on the device. They may also perform fuzz testing, a software testing technique used to discover coding errors and security loopholes in software or operating systems. This involves inputting massive amounts of mutated data to the system and monitoring to see if it crashes or behaves abnormally. These and other testing techniques allow researchers to get a feel for how secure the device is and discover vulnerabilities not caught in the design phase.

Post-market updates: Once the device goes to market, manufacturers must have a strategy for updating the device as new security threats emerge and operating systems change. There are two important considerations to keep in mind. The device must have a secure method for pushing security updates. If the method of connecting to the device to update software or push patches is not encrypted and secure, it will actually make matters worse by opening the device up to significant new vulnerabilities. Second, companies must have processes in place to keep track of new vulnerabilities and respond to them as they emerge. The cybersecurity landscape is always changing; no matter how secure your device is today, a year from now new threats are likely to emerge. In most cases, these arise from areas device developers have no control over, such as new viruses or vulnerabilities discovered in software, operating systems for computers, or networks connecting to the device. Companies must have dedicated internal resources to track emerging threats and make mitigation recommendations.

Responsible disclosure policy: Risks uncovered by outside agents can expose manufacturers if they do not have a publically accessible reporting mechanism and clear internal procedures for investigating and mitigating reported risks. Essentially, responsible disclosure is an understanding that researchers can report a found vulnerability to a company without fear of legal reprisals and can expect the company to take reasonable steps to correct it and inform users if appropriate. A public responsible disclosure policy tells potential reporters how to tell you about a vulnerability and what your company will do with the information. Developing a clear internal policy for responding to disclosures can help companies reduce their exposure. Last October, the FDA updated its consensus standards to include two standards (ISO/IEC 29147 and ISO/IEC 30111) related to responsible disclosure, emphasizing its importance for device manufacturers.

Putting it all together

Cybersecurity is an ongoing balancing act that requires a comprehensive, end-to-end approach. Often, this process will require bringing in outside cybersecurity experts to help. Battelle’s DeviceSecure Services (http://goo.gl/vPYwju) for medical manufacturers incorporates secure design, vulnerability assessment, and anti-tampering and anti-counterfeiting measures.

No device will ever be 100% unhackable. However, it is the responsibility of device manufacturers to take proper precautions to minimize the risk of harm to patients and hospital networks. By baking cybersecurity into the entire product life cycle, developers will go a long way toward reducing these risks.

Battelle

www.battelle.org

About the Author: Stephanie Preston is lead security engineer for Battelle DeviceSecure Services. She can be reached at 800.201.2011.