Managing Security for Cloud Connected Medical Devices
Connecting your medical device to the cloud has many benefits. But one of the major risks is security – specifically cybersecurity.
This has been a hot topic recently with some high-profile incidents. For example, there were issues found with the implantable ICDs from St Jude Medical that were found to be vulnerable to hacking.
Cybersecurity is a risk that medical device manufacturers need to manage, but unfortunately, as a whole, the industry is one of the least prepared for this. Connecting your medical device definitely makes it more vulnerable to deliberate attacks.
We hear reports every day about things like ransomware, where the hacker will keep someone’s credit card or block a system from being used until they get paid. Think about a hacker holding life-saving information or treatment hostage. This would be a very serious risk to your company and to the health and safety of patients.
How do you manage security?
Managing security is really about embedding it as part of your company culture from the get-go. This spans from the design of the device to it becoming fully operational. You have to always think of the people who are the end-users of your device and how you can keep them safe.
Security isn’t just something you think of once or tack on at the end, it’s a cultural shift and commitment for the entire lifecycle of the medical device.
With that being said, you obviously need to start somewhere, so where is a good place to begin?
Managing cybersecurity should be embedded in medical device company culture Share on X#1. Create a set of cybersecurity procedures
Your first step would be to create a set of cybersecurity procedures and guidelines. These will identify how that cultural change will happen in your company.
These procedures and guidelines should include a cybersecurity risk management program. This consists of;
- Assessment of cybersecurity vulnerabilities.
- Assessment of the harm that can come from those hazards.
- An evaluation of the order of risk of potential harm.
Cybersecurity risk should be identified and tracked throughout product development and operations. Just as we manage clinical risk and hardware risk, we need to prioritize managing the risks to cybersecurity.
#2. Train your workforce on good cybersecurity practices
It’s important that your team members understand what cybersecurity risk is, what to look for and how to put in place good practices. Your workforce can potentially be the weakest link when it comes to cybersecurity if they haven’t been trained.
For example, they should know not to click on random links and should understand what phishing or baiting attacks look like. It’s a good idea to have security software like antivirus or anti-malware installed on desktops and laptops, and to have them set for automatic updating.
Cybersecurity training should be regular and repeated for your workforce. It’s easy for people to forget and fall into bad practices, or, there may be new threats out that they should know about.
#3. Ensure good engineering practices
It’s important that your team follows good engineering practices in terms of cybersecurity. This includes things like;
- Secure design. This is about your coding and practices for developing software in a way that protects against accidental introduction of security issues.
- Taking it for granted that security issues are a given, so that you apply appropriate levels of caution.
- Keeping a list of software components being used in the development of the medical device. This is like a “bill of components” except for software. You need to periodically review these for any new security issues.
- Performing verification. This includes things like penetration testing and security scanning. You may even choose to perform some “ethical hacking” as a test. Just like we verify for functionality and for clinical effectiveness, we verify for cyber security.
- From an operational point of view, limiting the amount of data that is stored on the device. You also may want to limit data that is transmitted between your device and cloud systems. Limiting these things helps to reduce risk, but of course it may not always be possible. Sometimes that data is needed.
- Using data encryption to protect what you capture or transmit. This should be used any time you have sensitive data. The level of encryption should be dependent on the risk level involved with that particular piece of data.
#4. Create and maintain proper access controls
Use appropriate security controls when providing access data. Access should be limited to those who need it and should be require some kind of credentials before viewing it. For example, usernames and passwords are the most commonly used authentication mechanism.
A second factor for authentication is a good practice if possible. This might include things like using a physical “key”, such as a USB stick after putting in username and password. You could also use a pass code that is generated through an app on the user’s phone – really anything that creates a secondary level of protection.
If you use passwords, make sure you have a password management policies in place, which allows you to put restrictions around them as this helps to protect data access.
Access controls should be regularly reviewed and limited to only what is absolutely necessary for anyone with access.
#5. Data backups and disaster recovery
Data back-ups need to happen regularly. This allows you to get back up and running as soon as possible if there are any issues. You also need to ensure good back-up management, ensuring that you can restore back-ups if needed. Data back-up should be kept off-site so that they are secured away from your main data center.Data back-ups should also be encrypted to prevent improper access. The bottom line is, you need a solid way to get back if anything does go wrong!
#6. Constant monitoring
Create a post-market surveillance program. The FDA has released a guidance document on what to do with post-market cybersecurity issues. This has recommendations for how to assess risk based on the likelihood and impact of an attack. They also have guidance around when you need to report cybersecurity issues. (The FDA has made it easier to deploy “patches” for cybersecurity threats. There are shortcut provisions because the risk is so high).
Constantly monitor for issues. Cybersecurity is not a one-time event – there are developments happening all the time.
Final thoughts
Cybersecurity is a cultural change for medical device companies. Security should be considered in design, risk management, software code and operations. You also need to consider the people involved. They must be trained and up-to-date with best practices on how to avoid potential cybersecurity risks.
While there are obvious risks to connecting your device, there are also some huge benefits to be had. Managing cybersecurity well allows you to enjoy those benefits with confidence.