The threat of medical devices becoming cyber risks has been in the news cycle for quite some time. Just last month, this topic became a major story again with one report saying that 53 percent of medical devices are at risk of cyber attacks. However, it appears that many continue to be incognizant of the problem.
Around a third of healthcare employees in North America admit that they never had any form of cybersecurity training. They lack suitable education and awareness to combat new cybersecurity threats in the workplace, including those that involve connected medical devices. This is alarming given that cyber attacks on the healthcare industry are steadily increasing.
Hacker-induced malfunctions in the operation of a web-connected pacemaker or defibrillator can create dire consequences. Malware-infected remotely-managed drug-infusion systems can go haywire, risking the lives of patients. These should not be allowed to happen.
Medical device cybersecurity standards
To start with the process of seeing the often unseen cyber threats of medical devices, medical devices, and healthcare organizations should get acquainted with medical device cybersecurity standards, regulations, and legal requirements. These often show almost everything they need to know to secure their connected devices.
Here’s a rundown of some of the most important standards and requirements to take into account.
- EU Medical Device Regulation (EU-MDR) – Also known as Regulation (EU) 2017/745, the EU MDR regulates the clinical investigation and sale of medical devices intended for people. It aims to ascertain patient safety and product effectiveness, ensure product integrity and reliability, and improve the regulatory oversight of medical devices.
- UL 2900 – This is a series of standards developed by UL Solutions, a renowned applied safety science organization. Adopted by the US FDA in 2018, this set of standards is aimed at ensuring the security of the software used in medical devices, industrial control systems, and life safety signaling systems.
- TIR 57 AAMI – A set of principles on medical device security, TIR 57 AAMI sets guidelines on undertaking information security risk management for medical devices. It is officially recognized by the US FDA as a foundational standard. TIR 57 AAMI is an acronym for Technical Information Report 57 of the Association for the Advancement of Medical Instrumentation.
- ISO/IEC 27001 – While this ISO/IEC standard is not explicitly about medical devices, it presents guidelines on the establishment, implementation, maintenance, and continuous improvement of an information security management system (ISMS) that may be used by medical device operators. Medical device cybersecurity standards benefit from isms solutions by providing a systematic framework for managing risks, ensuring compliance, and safeguarding sensitive healthcare data, ultimately enhancing the security and integrity of medical devices
- FDA Premarket and Postmarket Guidance – The United States Food and Drug Administration has several guidance documents related to the security of medical devices. These documents cover the full lifecycle of devices, from design down to development and maintenance. They provide various recommendations on how to come up with a secure device design, manage risks, and assess vulnerabilities.
- IMDRF Principles and Practices for Medical Device Cybersecurity – IMDRF is the International Medical Device Regulators Forum, a group of medical device regulators who seek to consolidate medical device safety and security regulations. They came up with a principles and practices document in 2020 to present the best practices for achieving medical device cybersecurity with an emphasis on risk-based approaches. The document can also serve as a guide for organizations as they establish policies for the management and sharing of information related to security events, vulnerabilities, and threats.
- MDCG Guidance on Cybersecurity for Medical Devices – MDCG stands for the Medical Device Coordination Group, a European regulator focusing on medical device safety and effectiveness. It published guidelines designed to assist manufacturers in complying with the requirements of the MDR and IVDR regulations.
- Health Industry Cybersecurity Practices (HICP) – HICP is a voluntary set of standards created jointly by the Health Sector Coordinating Council (HSSC) and the United States Department of Health and Human Services (HHS). It serves as a guide for healthcare organizations in identifying cyber threats and responding to them effectively.
- PATCH Act – This is a relatively new law in the United States introduced in 2022 to shore up the security of medical devices and IoT networks. It empowers the US FDA to approve products and monitor and address vulnerabilities in these devices post-market.
The standards at a glance
Exhaustively describing the different applicable standards, guidelines, and legal requirements for medical d devices would mean a very lengthy post. However, the points can be briefly summarized as follows: secure design, secure operation, and post-market monitoring.
First, medical devices should be inherently secure. They should be free from any flaw or vulnerability that can be exploited by threat actors. As such, every device should be safe, secure, and effective in terms of hardware and software. No product should reach the consumer market unless it is guaranteed to perform as intended and is free from security issues.
However, it is not enough to make sure that devices are of good quality out of the box. They should also be monitored while in operation. There has to be a system that communicates to the manufacturer the issues that emerge in their devices. Also, regular software updates should be made available, especially in response to newly discovered threats.
Thirdly, it is important to exercise post-market monitoring. Feedback from users should be considered to address security problems and improve the performance and utility of medical devices. Malfunctions, poor performance, and susceptibility to breakdowns and cyber-attacks should be meticulously tracked. Unlike other consumer products, the use of medical devices entails serious consequences affecting a person’s health or even life. There’s no way it would be acceptable to sell-and-forget or sell-and-forget these products.
The need for medical device security visibility
To emphasize, medical device security visibility applies mainly to two parties: the device manufacturers and healthcare providers. Almost all of the cybersecurity standards for medical devices pertain to them. They must know and understand all applicable standards and regulations for them to achieve security visibility and ensure the safety and effectiveness of medical devices.
Healthcare organizations should have an efficient way to oversee all of their web-enabled medical devices. This is easier said than done, though. A large hospital can have as many as 85,000 connected medical devices. Managing all of them is a daunting task, something that can be easily bungled without the right tools and proficiency. The same goes for medical device manufacturers. They should have a reliable and systematic method of managing all of their devices to make sure that they are effective and safe.
There is a need for a complete record of all their connected devices. This usually entails a collaboration between the accounting (inventory management) and IT (cybersecurity) departments to make sure that all devices, both the unsold/unused and sold/deployed, are accounted for. In most cases, a manual accounting of devices is required. The security team should collaborate with the accounting department since the latter has the expertise in accurately inspecting and recording all organizational assets, production/acquisitions, and sales/expenditures.
In conclusion
Cybersecurity has conventionally taken a lower priority among medical devices since they are usually assessed primarily in terms of their effectiveness and usage safety. However, cyber threats are already a major concern for connected devices used in the healthcare industry. Medical IoT and other web-enabled medical devices inevitably become cyber attack surfaces, so they should be subjected to rigorous security standards. It’s time to see the severity and urgency of the threats. For manufacturers, security should be ascertained throughout the entire product lifecycle, from design to post-market monitoring. For healthcare providers, the devices should be monitored from the moment they are used until the time they are retired or discarded.