Healthcare, by its very nature, deals with sensitive patient data. In addition to medical records, much of the medical equipment today is network connected, and vulnerable to potential cyberattacks.
In October, the US Food and Drug Administration (FDA) issued pre-market guidance for medical devices containing cyber risks. Weeks later, Health Canada released a guidance document for pre‐market requirements for medical device cybersecurity. This document is designed to help medical device manufacturers during the product development stage, providing cybersecurity recommendations to ensure products are secure before they are released to the market.
Cybersecurity presents multiple risks to healthcare providers and device manufacturers, including legal liability, lost revenue, and a loss of patient and customer trust. The rapid growth of connected devices requires the healthcare industry to take steps to minimize the threat of security incidents and breaches. To that end, medical device manufacturers need to ensure security is built into their products during product planning and development.
The Health Canada guidance document for pre‐market requirements for medical device cybersecurity encourages manufacturers to secure all connections between other devices and interfaces. This will ensure best practice for secure authentication when connecting to back-end systems, like servers and electronic health record systems. The guidance also includes securing connections between devices and back-end systems with encryption for data at rest, and data on the device, and puts in place recommendations for user access controls to grant access and privileges to the device.
From a security industry perspective, the proper implementation of PKI and the use of digital certificates is the best way to securely authenticate devices to back-end systems and encrypt data in transit.
Virtually every industry is susceptible to cybercrime, but healthcare is an industry where cyber-threats can have a direct impact on individual lives, for both personal information and physical safety. While cybersecurity is a shared responsibility for device manufacturers, regulators, healthcare IT, and patients and clients; having security protection guidance in the pre-market development of medical devices is vital to protecting all parties within the healthcare ecosystem.
Connected medical devices are everywhere. Ensuring cybersecurity protection is becoming more challenging as more devices enter the market. Connected medical devices include diagnostic equipment, picture archiving communication systems (PACS), such as MRIs and CAT scans, laboratory equipment, infusion systems, and even patient beds are now connected. Device manufacturers now provide tablet computers that are used throughout hospitals to monitor and collect data from connected devices. The most rapidly growing connected medical devices are consumer products, like cardiac, neurology and diabetic devices that include continuous glucose monitors and insulin pumps. These consumer devices are worn by, or embedded within, patients, and the data they collect is commonly sent via Bluetooth to their smartphones and smartwatches, and then wirelessly sent to the cloud. Whether medical devices are purchased by hospitals, or by patients and consumers, the Health Canada guidance applies to all devices.
The Health Canada guidance document takes into consideration the prevention of unauthorized individuals attempting to alter a device by manipulating configuration settings and makes recommendations on incorporating product security testing into the manufacturer’s verification and validation processes. The recommended strategy includes having a secure device design, device-specific risk management, verification and validation, as well as a plan for monitoring and responding to emerging risks.
Health Canada should be applauded for their efforts in helping to drive manufacturers to be more responsive in the handling of cybersecurity issues by providing substantial, tangible and actionable guidance. This is welcome regulatory guidance that will help manufacturers develop a strategy to ensure security is integral in the development of their medical devices.