JoAnne Bronikowski
Cybersecurity threats are among the fastest growing risks for devices connected to private or public networks. Because of this, regulators, including the US Food and Drug Administration (FDA) and the European Medicines Agency, now require medical device developers to include cybersecurity in risk management programmes for any device that could be connected to a network or another device, whether public or private, wired or wireless. (1, 2, 3)
Network connections potentially expose medical devices to threats from many sources – not just through a local router or server in a hospital or medical office, but from any computer, tablet, smart phone or even smart lightbulb connected to the Internet anywhere in the world. Therefore, regulators view cybersecurity as a shared responsibility.
They expect a risk management plan that incorporates input not only from patients, providers, health facilities and device manufacturers, but also from general information technology (IT) software and hardware developers, Internet service providers and commercial cybersecurity firms.
Regulators require cybersecurity risk management plans to cover the entire life of the device, from development and testing throughout its use by healthcare professionals and/or with patients. Plans should address the gamut of potential threats, including deliberate or accidental disruption of device function, interference with data transfer between devices and servers, and any exposure of private medical data, or patient location or identity.
And because hackers are an inventive lot, cybersecurity plans must be continually updated. Probable future threats should be identified and current threats monitored, and new mitigation strategies adopted. These could include hardware changes or software patches, as well as changes in user operating procedures, as required throughout a device’s life cycle.
All this sounds complicated, and it does require significant expertise. However, the FDA and other organisations, notably the US National Institute of Standards and Technology (4), offer detailed guidance for what should be included in a medical device cybersecurity risk management plan, as briefly described here.
Protections to ensure device security
“Defence in depth” is a fundamental concept for ensuring information integrity that should guide any medical device cybersecurity plan. It calls for multiple layers of defence, installed throughout an IT system, that protect against unauthorised entry.
For a connected medical device, protection begins with data encryption, and restrictions on what data could be accessed and by whom. In general, data only should be made available if there is a good reason for it. For example, patients might be able to obtain heart rate information from a pacemaker, but should not be granted access to adjust the device, whereas physicians and technicians might have access to both.
Use of public and private encryption keys, strong unique passwords, positive user identification, user access tracing and access timeouts after a set period of inactivity are additional security layers that should be incorporated into the plan’s design from the outset. These protections should be applied to all types of potential data connections including cellular modems, Wi-Fi, Bluetooth, NFC and even RFID devices, as well as any wired connection such as USB ports or telephone jacks.
In addition to the device itself, the security of any server or other device it connects to, along with any intermediary device, must be addressed. For example, if an insulin pump connects via a cell phone to a server in a physician’s office, the cell phone and Internet connections, as well as the receiving server, should be encrypted and protected against unauthorised use.
More importantly, early consideration should be paid to preventable errors caused by human factors, such as the sharing of passwords. Finally, physical security, such as keeping servers in a locked room, should be mandatory to protect devices and data.
Detection and recovery
Additionally, a cybersecurity plan should include mechanisms for detecting when unauthorised access has occurred. An example includes alarms for unauthorised entry or multiple access attempts, which could indicate an attempted takeover. A responsible party should be appointed to respond to any intrusion as required.
A recovery plan is essential, and recovery features should be built into devices and the ecosystems in which they function. These could include the ability to reboot a device that has been compromised and to recognise authentic drivers for the device. Data backups should be maintained to restore compromised devices. These have been especially useful in cases of ransomware attacks, where hospitals and other organisations have been able to recover needed data from backups after a primary system was encrypted and held for ransom.
What the FDA wants
Current FDA advice on cybersecurity is not binding, but does cover specific features of a cybersecurity plan for connected devices, including:
- Plan for software maintenance and updates, and cybersecurity risk management
- Identification of assets, threats, vulnerabilities and cybersecurity requirements
- Assessment of potential threats – updated throughout the device’s lifecycle – in terms of their impact on device function and their effect on patients
- Mitigation strategies and procedures for preventing unauthorised access and related harms, and recovering from those that occur
- Documentation of plan, vulnerability and mitigation assessments, security requirements, risk management, data integrity controls and user instructions
Partnering with organisations that understand the complexity of cybersecurity risks and how to address them, as well as what regulators now require, can help keep your device and its users safe from attacks. This cybersecurity checklist will help you to assess how well equipped you are to meet today’s cybersecurity needs. For information on how ICON cybersecurity experts can help build the safeguards into your devices and operations, contact us.
(1) Cybersecurity for Networked Medical Devices Containing Off the-Shelf (OTS) Software. FDA, Jan. 14, 2005.
(2) Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. FDA, October 2, 2014.
(3) Post-market Management of Cybersecurity in Medical Devices. FDA, Dec. 28, 2016.
(4) Framework for Improving Critical Infrastructure Cybersecurity, draft version 1.1. National Institute for Standards and Technology, January 10, 2017.
In this section
-
Digital Disruption
- AI and clinical trials
-
Clinical trial data anonymisation and data sharing
-
Clinical Trial Tokenisation
-
Closing the evidence gap: The value of digital health technologies in supporting drug reimbursement decisions
-
Digital disruption in biopharma
-
Disruptive Innovation
- Remote Patient Monitoring
-
Personalising Digital Health
- Real World Data
-
The triad of trust: Navigating real-world healthcare data integration
-
Patient Centricity
-
Agile Clinical Monitoring
-
Capturing the voice of the patient in clinical trials
-
Charting the Managed Access Program Landscape
-
Developing Nurse-Centric Medical Communications
- Diversity and inclusion in clinical trials
-
Exploring the patient perspective from different angles
-
Patient safety and pharmacovigilance
-
A guide to safety data migrations
-
Taking safety reporting to the next level with automation
-
Outsourced Pharmacovigilance Affiliate Solution
-
The evolution of the Pharmacovigilance System Master File: Benefits, challenges, and opportunities
-
Sponsor and CRO pharmacovigilance and safety alliances
-
Understanding the Periodic Benefit-Risk Evaluation Report
-
A guide to safety data migrations
-
Patient voice survey
-
Patient Voice Survey - Decentralised and Hybrid Trials
-
Reimagining Patient-Centricity with the Internet of Medical Things (IoMT)
-
Using longitudinal qualitative research to capture the patient voice
-
Agile Clinical Monitoring
-
Regulatory Intelligence
-
An innovative approach to rare disease clinical development
- EU Clinical Trials Regulation
-
Using innovative tools and lean writing processes to accelerate regulatory document writing
-
Current overview of data sharing within clinical trial transparency
-
Global Agency Meetings: A collaborative approach to drug development
-
Keeping the end in mind: key considerations for creating plain language summaries
-
Navigating orphan drug development from early phase to marketing authorisation
-
Procedural and regulatory know-how for China biotechs in the EU
-
RACE for Children Act
-
Early engagement and regulatory considerations for biotech
-
Regulatory Intelligence Newsletter
-
Requirements & strategy considerations within clinical trial transparency
-
Spotlight on regulatory reforms in China
-
Transfer of marketing authorisation
-
An innovative approach to rare disease clinical development
-
Therapeutics insights
- Endocrine and Metabolic Disorders
- Cardiovascular
- Cell and Gene Therapies
- Central Nervous System
-
Glycomics
- Infectious Diseases
- NASH
- Oncology
- Paediatrics
-
Respiratory
-
Rare and orphan diseases
-
Advanced therapies for rare diseases
-
Cross-border enrollment of rare disease patients
-
Crossing the finish line: Why effective participation support strategy is critical to trial efficiency and success in rare diseases
-
Diversity, equity and inclusion in rare disease clinical trials
-
Identify and mitigate risks to rare disease clinical programmes
-
Leveraging historical data for use in rare disease trials
-
Natural history studies to improve drug development in rare diseases
-
Patient Centricity in Orphan Drug Development
-
The key to remarkable rare disease registries
-
Therapeutic spotlight: Precision medicine considerations in rare diseases
-
Advanced therapies for rare diseases
-
Transforming Trials
-
Accelerating biotech innovation from discovery to commercialisation
-
Ensuring the validity of clinical outcomes assessment (COA) data: The value of rater training
-
Linguistic validation of Clinical Outcomes Assessments
-
Optimising biotech funding
- Adaptive clinical trials
-
Best practices to increase engagement with medical and scientific poster content
-
Decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
Decentralised and Hybrid clinical trials
-
Practical considerations in transitioning to hybrid or decentralised clinical trials
-
Navigating the regulatory labyrinth of technology in decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
eCOA implementation
- Flexible delivery models
-
Implications of COVID-19 on statistical design and analyses of clinical studies
-
Improving pharma R&D efficiency
-
Increasing Complexity and Declining ROI in Drug Development
-
Innovation in Clinical Trial Methodologies
- Partnership insights
-
Risk Based Quality Management
-
Transforming the R&D Model to Sustain Growth
-
Accelerating biotech innovation from discovery to commercialisation
-
Value Based Healthcare
-
Strategies for commercialising oncology treatments for young adults
-
US payers and PROs
-
Accelerated early clinical manufacturing
-
Cardiovascular Medical Devices
-
CMS Part D Price Negotiations: Is your drug on the list?
-
COVID-19 navigating global market access
-
Ensuring scientific rigor in external control arms
-
Evidence Synthesis: A solution to sparse evidence, heterogeneous studies, and disconnected networks
-
Global Outcomes Benchmarking
-
Health technology assessment
-
Perspectives from US payers
-
ICER’s impact on payer decision making
-
Making Sense of the Biosimilars Market
-
Medical communications in early phase product development
-
Navigating the Challenges and Opportunities of Value Based Healthcare
-
Payer Reliance on ICER and Perceptions on Value Based Pricing
-
Payers Perspectives on Digital Therapeutics
-
Precision Medicine
-
RWE Generation Cross Sectional Studies and Medical Chart Review
-
Survey results: How to engage healthcare decision-makers
-
The affordability hurdle for gene therapies
-
The Role of ICER as an HTA Organisation
-
Strategies for commercialising oncology treatments for young adults
-
Blog
-
Videos
-
Webinar Channel