The landscape of the medical device industry is changing, driven by emerging technologies and the influx of smart devices, telemedicine, and new patient care models. This new frontier is not without risks; integrating connected capabilities into medical devices has raised the stakes. In addition to human error or device malfunction, developers and manufacturers must think about things like hacking, malware, breaches, and bugs, making strong cybersecurity checks and balances more relevant than ever.
Regulatory agencies and officials are enforcing security measures to make sure connected medical devices are protected from cyber threats. In order to comply with this regulatory scrutiny and ensure connected devices are safe, developers and manufacturers must familiarize themselves with guidance, regulations, and best practices for mitigating risk. (See Figure 1)
In guidance from 2014, the U.S. Food and Drug Administration (FDA) acknowledged, “the need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information.” The FDA recommends that developers and manufacturers identify threats, protect against them, and be able to detect, respond to, and recover from attacks. In order to “identify, protect, detect, respond, and recover,” the FDA guidance considers:
- Access Control: This includes everything from determining who can access a device and how, to authentication measures and security. Recommendations include: limiting access to authenticated users via user ID/password, smartcard, or biometric models; ensuring content comes from trusted sources; implementing recovery and fail-safe options; automatic log-outs and/or time-outs after a specified period of inactivity; using layered authentication models to employ different privileges based on user; ensuring applications and devices require a strong password created upon first launch and changed as necessary; and authentication for software and/or firmware updates.
- Trusted Content: These evaluations ensure that all content going to or coming from a device is trusted. Trusted content can be enforced by: confirming trusted origination sources; using administrative tools available only to authorized users; validating digital certificates during software and firmware updates; and using encryption for incoming and outgoing data transfers.
- Recovery Features: Features must be in place to protect a device and its information, should it be compromised. These include: fail-safe and recovery features; recognition of security breaches; logs; and well-defined processes for notifying users when a breach occurs and allowing administrators to retain and recover system configurations.
The FDA has counseled manufacturers to provide justification for a given device’s security functions when submitting information for approval. This ensures the above considerations have been made and integrated into the finished product. Additionally, assurance cases are recommended to be included with 510(K) submissions in many instances.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 contains specific rules to assure confidentiality and protect information. Under HIPAA, connected medical devices and apps must keep personal health data safe and secure. HIPAA calls for administrative safeguards, such as security management processes; information access management; contingency plans; evaluations, and assigned security responsibility, awareness, and training. Physical and technical safeguards, like facility access considerations, workstation security, device/media controls, authentication, transmissions security and access, and audit controls, must be in place.
HIPAA requirements are in line with FDA guidance and with general cybersecurity best practices. Creating a cybersecurity plan for connected medical devices and applications is possible by keeping all three in mind.
Risk management practices are key to limiting the impact of cybersecurity issues. With software, risk management employs defensive coding techniques, continuous testing, integration tests, and configuration management. Third-party review is also an important component. With all reviews and analysis, it’s important to eliminate unnecessary features that may open a device or application to a threat. It is critical to identify defects and have processes in place to address them.
Connected devices should also employ risk management from the design and planning phase. Consider what is expected to connect to the device, as well as aspects that may pose a threat that aren’t directly connected. Disable all ports and access points not required for the user. Research and identify supported devices and operating system combinations to ensure everything is considered in the approach. Take into account all protocols used in the device, as well as the FDA guidelines for cybersecurity during design and development.
For devices and software, it is important to run risk analysis throughout the development cycle to identify known security gaps, detect deviations from standard system functions, and identify and prioritize critical vulnerabilities. To remedy any issues, the root case and impact of exploits must be found. If issues are found, removing the system from the network and notifying affected users to make repairs is warranted.
As perfectly designed as a device may be, human beings are not perfect and, thus, are a risk factor. It’s important to consider the users of your software or device and how they will use it both while developing a product and after a product has been deployed, to address issues as they arise.
For software, in addition to considering users and environments, conditions of how the software will be used are important. Providing consistent interfaces is critical, as is designing the software for all potential users.
For devices, assessments should include consideration of all devices and operating systems supported by the device using a compatibility matrix. Battery considerations, including ease of removing and replacing or recharging, should be made. Design for readability and keep known user limitations in mind; a more user-friendly product can help ensure safety.
Software vulnerabilities can be identified and combatted using several resources. The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is an important one. This past January, the FDA encouraged the use of the framework for medical device and application cybersecurity programs. Among other things, the framework calls upon developers to “identify, protect, detect, respond, and recover,” the same considerations the FDA identified in its guidelines.
Another resource is the Common Weakness Enumerations (CWE), maintained by the National Cybersecurity Division of the U.S. Department of Homeland Security. The CWE lists software weaknesses across various development languages, using a standard scoring system to evaluate potential weaknesses. There are currently more than 1,000 vulnerabilities listed in nearly 250 categories, with scoring based on potential impact. The top 25 CWEs are regularly updated with the most severe exploits.
The Open Web Application Security project (OWASP) is a worldwide nonprofit organization focusing on improving software security. OWASP is an online community that strives to make software security visible so that individuals and organizations can make informed decisions about software security risks.
There are several methods developers and manufacturers can use to identify and mitigate risk. (See Figure 2)
Network scanning, which identifies weaknesses in a network, and vulnerability scanning, which can identify outdated software versions and patches that have not deployed, are valuable ways to find potential weak points and put stronger security in place. These scans will report on open ports, operating system versions, and software applications that may be actively using open ports. Expertise is required for analyzing results to get an accurate picture of what is happening on a device or within software.
Password cracking audits ensure systems and users are utilizing passwords that are secure and comply with policies. Audits should include a policy review to ensure best practices are in place. Auditing system logs can help identify areas that may not follow accepted security procedures and help clarify network topography, while providing actionable information to increase security. Checking the integrity of system files is essential to maintaining the integrity of the system itself. An activity analysis of file system changes during runtime can identify data being sent when the application or device is in use. It’s important to run a daily file integrity check to quickly identify compromises in a system.
Using both manual expertise and automated tools to detect viruses, worms, Trojans, backdoors, keystroke loggers, root kits, and spyware is a good idea. The best method to identify malware is to frequently update software definition files and regularly perform system-wide malware checks. Using a combination of network installed and end-user installed tools is generally best practice.
This assessment attempts to circumvent a system’s security features based on a known understanding of how it works. It uses an incremental approach, using minimum level access and attempting to gain greater access, to mimic a real-world attack. It can be performed overtly, working with internal teams, or covertly, simulating an external attack, to determine weak points and/or knowledge and implementation of cybersecurity policies.
While each developer and implementer requires a unique approach to cybersecurity, there are general recommendations that should be considered to maintain compliance with industry standards, FDA guidelines, and HIPAA requirements.
- Establish a routine assessment plan for all applications in contact with data. This should include regular system evaluations and software configuration verifications. This can often proactively prevent incidents from occurring.
- Assess public-facing systems first. These systems are the most vulnerable to attacks and breaches. Internal controls that follow standard procedure must be in place for these reviews to be effective.
- Coordinate security assessments with all connected parties. Evaluations can put stress on the system being tested and mimic an actual attack. Keep internal teams aware when an assessment will occur to help avoid false alarms and potentially wasted resources.
- Do not perform assessments on a system with live users. Performing assessments on a live application can create dangerous environments for users who rely on accurate data. Evaluations should be run on a set that does not include live data and will not impact an active user.
- Integrate cybersecurity workflow into development. Cybersecurity assessments can uncover vulnerabilities and unexpected results. Identifying any potential issues early in the development of a product will cost less than if these issues are uncovered after a product is released publicly.
- Ensure systems are up to date. Many breaches occur because of missed patches or updates. Having a centrally organized, distributed policy on testing and patch releases, as well as public-facing updates, is important. Because of the differences between hardware and software, new combinations and interactions may occur any time a patch or update is sent, so a test procedure to validate any new patches should be in place prior to a general release.
- Enlist independent reviews. An independent, experienced security expert can perform assessments, filling an essential role, particularly if in-house teams do not exist or have limited capacity. The expert should be familiar with current FDA guidelines for cybersecurity and medical applications.
A cybersecurity assessment is one of the most important methods of vetting and determining if a developer has used current security and best practices to protect data. Implementing methodologies like those listed above can help save time and money in any project. Routine assessments and reviews can also mean the difference between a connected device’s success and failure.
This article was written by Delmar Howard, Program Manager, Intertek, Oak Brook, IL. For more information, Click Here .