Internet-connected devices and mHealth apps are bringing health care out of the clinic and into patients’ daily lives by connecting to the Internet, hospital networks, and each other in ways not possible just a few years ago. However, when devices connect to the Internet, patient safety and data security may be at risk.
With more apps and connected devices entering the market, the U.S. Food and Drug Administration (FDA) is starting to take notice. Its position had been that the industry should be able to use the existing regulatory framework (primarily ISO 14971) to manage cybersecurity risk for medical devices, but new guidance is evolving. The FDA’s Content of Premarket Submissions for Management of Cybersecurity in Medical Devices provides guidance for the industry. In addition, the Association for the Advancement of Medical Instrumentation (AAMI) working group is developing a technical information report (TIR), “Principles for Medical Device Information Security Risk Management,” which should provide more details for medical device manufacturers.
|
Cybersecurity planning A comprehensive security risk management plan needs to address three critical aspects of cybersecurity. Secure design – In order to design for security, developers need to look at ways to predict and minimize security risks that result from human error, software vulnerabilities, or malicious hacking. Baking security into development from the beginning can avoid costly redevelopment and mitigate potential liabilities. Developers who build cybersecurity into their apps and devices will be better prepared for emerging FDA expectations. Vulnerability assessment – What kind of data does the device send and receive? How is it encrypted? What kinds of patient safety risks would be introduced in the event of a disabling denial of service (DoS) attack or virus? Does the device open a back door into the hospital network? How is data backed up? NIST defines 18 families of cybersecurity controls that can be used to identify relevant vulnerabilities for a medical device or app. Developers must look at all of the potential risks introduced by connected devices and establish comprehensive and testable risk management protocols. Anti-tampering and anti-counterfeiting measures – Connected medical devices have a unique risk profile, including the risk of deliberate hacking. At the 2013 and 2014 BlackHat conferences, sessions have demonstrated a variety of ways that patients could be put at risk by hacking devices such as insulin pumps or pacemakers. mHealth apps may be vulnerable to deliberate attacks that could prevent timely transmission of critical health data between doctor and patient. Portable medical devices can be carried away and taken apart – allowing skilled agents to reverse engineer hardware or firmware to discover vulnerabilities. www.battelle.org |
We can expect that cybersecurity will be part of new FDA regulatory framework for medical apps and connected devices. In the meantime, developers must be able to evaluate the potential vulnerabilities in their software and anticipate adapting to the existing framework now to address security risk management. In particular, device manufacturers must recognize the difference between safety and security within their existing risk management processes and keep both kinds of exposure in mind.
Connection concerns
Medical device manufacturers have done an excellent job at developing protocols to identify and mitigate safety risks, such as electrical components that present a shock risk or poorly designed controls that could lead to an accidental overdose. However, the industry has been slower to recognize security risks.
As more medical devices become connected, risks increase. Devices and apps may be designed to allow data into the device, send data from the device, or both. Patients may use mHealth apps to track everything from weight to blood sugar at home, with information automatically synched with tracking software at the doctor’s office. In a hospital, monitoring devices may send patient data across the network to allow for better monitoring and earlier intervention. Each of these connection introduces security risks.
Medical device manufacturers should not wait for new legal regulations to guide them in developing cybersecurity protocols. To protect from risk and liability, manufacturers will need to develop their own best practices for risk assessment and mitigation.
Be vigilant
While regulatory agencies work to catch up with the new technology, medical device manufacturers need to look beyond their own industry for answers. Traditional technology companies have been grappling with the realities of living in a connected world for years: how to weigh risks and benefits, how to stay one-step ahead of the hackers, when and how to disclose vulnerabilities, what kinds of corporate policies can help, and when it’s best to call in an expert. Benchmarking cybersecurity assessment, testing, and mitigation practices against those in other industries may provide insight for medical device manufacturers.
To meet emerging regulations, medical device manufacturers must ensure that they are fully anticipating risks to both safety and security.
Battelle Memorial Institute
www.battelle.org
About the author: Scott Sheaf is a senior software engineer with Battelle Memorial Institute. Sheaf can be reached at solutions@battelle.org.
Explore the March 2015 Issue
Check out more from this issue and find your next story to read.
Latest from Today's Medical Developments
- Soft joint model for robots
- TANAKA PRECIOUS METAL TECHNOLOGIES’ Visi Fine
- Auxilium Biotechnologies prints medical devices on the International Space Station
- KYOCERA SGS Precision Tools’ APEX Application Expert
- North American robotics market holds steady in 2024 amid sectoral variability
- Evident’s DSX2000 digital microscope
- Ferrocene becomes first Rust toolchain to achieve IEC 62304 qualification
- Germany expects a major decline in production in 2025
