arrows arrow-right arrow-left menu search rss youtube linkedin twitter facebook arrow-play
Health & Analytics Newsletter

Battelle Health & Analytics Newsletter

February 2016 - Issue 6

Industry Insights
Red handpring on blue background with virus alert in white.

Building Cybersecurity into Medical Devices, from Start to Finish

Is your medical device putting patient safety or hospital data at risk? Cybersecurity is an issue that medical device manufacturers can no longer afford to ignore. In fact, cybersecurity may soon be considered as critical as safety and human factors testing in the device development process.

Hospitals are finding themselves at increasing risk from malware and malicious hackers. While harming patients through medical devices is rarely the end goal, devices are often seen as the “weak links” that provide easy entry into a hospital network. If the code for a critical medical device is compromised in the process, patient safety can be put at risk. Even if no patients are directly harmed, data breaches and data ransom attacks can disrupt hospital operations and make patients and employees vulnerable to identity theft.

For these reasons, hospital purchasers and the FDA are putting increased emphasis on medical device cybersecurity. Many hospital systems have added cybersecurity requirements to their purchasing guidelines. The FDA released draft guidance for premarket submissions in October 2014; post-market guidance was released January 22, 2016. As the industry evolves, we can expect that cybersecurity will be part of a new FDA regulatory framework for medical apps and connected devices.

Preparing for new market and regulatory realities requires a coordinated approach to cybersecurity, from initial design to post-market monitoring. Here are five steps medical device manufacturers can implement now to prepare: 

  1. Pre-design: Before design begins, manufacturers should start by gathering requirements and expectations around cybersecurity from stakeholders such as hospital procurement and IT departments. Many hospitals will no longer consider purchase of devices that cannot produce adequate security documentation. Manufacturers must be prepared to provide documentation on their security plan and the specific security precautions taken for the individual device.

  2. Design process: During the design process, manufacturers should conduct a device-specific threat assessment of their design, which includes characterizing, modeling and measuring potential threats specific to the device. Cybersecurity experts look at the ways the devices are connecting, the kind of data they are sending and receiving, and the potential for threat actors to introduce changes in the code. This threat modeling process helps developers determine what risks and vulnerabilities exist in the devices and how these risks can be mitigated. It’s significantly cheaper to make these adjustments during the design phase than during prototyping or final testing.

  3. Prototyping: At the prototype phase, developers should put their cybersecurity measures to the test. Cybersecurity researchers conduct penetration testing to observe how the device behaves under various attack scenarios. They may also perform “fuzz testing,” a software testing technique used to discover coding errors and security loopholes in software or operating systems.

  4. Post-Market Updates: Manufacturers must also have a strategy for updating the device as new security threats emerge and operating systems change. There are two important considerations to keep in mind. First, the device must have a secure method for pushing security updates. Second, companies must have processes in place to keep track of new vulnerabilities and respond to them as they emerge. Companies must have dedicated internal resources to track emerging threats and make mitigation recommendations.  

  5. Responsible Disclosure Policy: Risks uncovered by outside agents, accidentally or through deliberate probing, can expose manufacturers if they do not have a publically accessible reporting mechanism and clear internal procedures for investigating and mitigating reported risks. A public, responsible disclosure policy tells potential reporters how to tell you about a vulnerability and what your company will do with the information once it is submitted. Developing a clear internal policy for responding to disclosures, and making both the policy and the reporting mechanism easily visible for the public, can help companies reduce their exposure.

Battelle has put together a suite of services for medical device manufacturers called Battelle DeviceSecure® Services. The Battelle cybersecurity team works with clients to develop a comprehensive security risk management plan that includes:

  • secure design (baking cybersecurity into hardware and software development from the start);
  • vulnerability assessment (characterizing, modeling and measuring existing threats); and
  • anti-tampering and anti-counterfeiting measures.

By putting these protocols into place, developers can minimize risks for patients and hospitals and prepare for emerging market and regulatory expectations.