Cybersecurity and Risk Management Principles
29 May 2020
Medical device manufacturers are driven by improving features, functionality, and accessibility that contribute to greater patient care. The incorporation of communications technology into medical devices offers increased potential for monitoring, alerting, collecting and analyzing medical data, controlling medication dosing, and even assisting doctors during surgery.
While the inclusion of computer components and connectivity is certainly leading to greater patient care, it also exposes medical devices to the same cybersecurity struggles that traditional information systems have always faced. As other industries made similar transitions to connectivity, manufacturers that lacked a real process to address cybersecurity were most exposed during times of change. As medical device manufacturers implement more features through connectivity, their exposure to the cyber threat landscape also increases.
The US Food and Drug Administration (FDA) has recommended that cybersecurity design and validation should be considered as part of the process currently in place for submissions that include software components. As the FDA continues to align their standards with other industries, the necessity to consider and implement cybersecurity in medical devices will move further into real compliance and conformance requirements.
Further, states like California and Oregon have established laws that require manufacturers to equip products with a minimum baseline of cybersecurity in any product with some connectivity. Medical device manufacturers should be prepared to demonstrate compliance with these types of laws as they are implemented by more jurisdictions.
Medical device manufacturers are familiar with assessing and controlling risk, following the process specified in ISO 14971, and presenting the results to regulators. Creating a parallel process for cybersecurity is strongly recommended.
What is the impact on safety if a medical device has cumbersome security features that get in a doctor’s way during an emergency? What are the cybersecurity risks inherent in implanted life saving devices that require a connection to the cloud to perform data processing? Without a formal cybersecurity risk management process, cyber risks cannot be quantified.
As medical devices enter the connected arena and are exposed to unfamiliar threats including hackers and organized crime, what is the current exposure to existing and future vulnerabilities? What stands to be lost in terms of assets such as patient data and safety? What is the plan to navigate legal and regulatory requirements?
Find out how Intertek can help secure medical device connectivity through risk planning, management and assessment through our information page.