Responding to the Cyber Threat
A 2017 study released by Poneman Institute underscored how unprepared the medical devices sector is for tackling cyber security risks. The study, Medical Device Security: An Industry Under Attack and Unprepared to Defend highlighted two main areas of concern. The first is the lack of a responsible well informed corporate owner of cyber risks and the second is the weakness and vulnerability of the information architecture underpinning many health care providers. Key vulnerabilities include lack of an effective quality management system for medical device cyber security, outdated operating systems, and lack of consistent testing practices for devices once in use. The standard practices of patches and updates for software vulnerabilities which many companies are familiar with, is more complex and difficult for medical devices companies and for health care providers dependent on intricate information systems which cannot be interrupted for software updates.
Pockets of good cyber security planning exist across the medical devices sector, but there is not yet an industry wide approach to tackle the problems of cyber risk. The FDA has recommended a ‘total lifecycle approach’ to managing cyber risk. However, FDA guidance focuses on what manufacturers should do rather than how to do it.
Experts from Boston Scientific [i] have highlighted three questions manufacturers and information management specialists need to consider when planning for more cyber security in medical devices, and more generally in the IoMT:
- Scalability – can a security solution be used by large and small institutions, or is scaling down for less well-resourced hospitals degrading the solution?
- Awareness of inventory – what software and content from third party providers is part of the system and does it bring its own, additional share of security risks?
- Composability – can a safe and secure system be built, containing non-secure components? How is the security of new devices coming onto the system being evaluated?
The expansion of IoMT will bring greater levels of risk along with greater benefits for healthcare provision. For manufacturers and purchasers of medical devices, careful informed planning and regular testing for cyber threats will have to become part of the overall compliance framework in the future.
Read more about the cyber security challenges facing the healthcare sector with BSI’s free Cyber security of medical devices whitepaper.
[i] Ken Hoyme, Director of Product and Information Engineering Systems Security at Boston Scientific, speaking at the Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis workshop, May 2017.
The Compliance Navigator blog is issued for information only. It does not constitute an official or agreed position of BSI Standards Ltd or of the BSI Notified Body. The views expressed are entirely those of the authors.