Experts: Incorporate CyberSecurity Into Design, Development Process

With a number of attempted and successful cyberattacks making headlines, what steps can medical devicemakers take to ensure the security of their products?

By identifying stakeholder needs, defining a security risk process and recognizing and implementing appropriate security requirements, devicemakers can set themselves up for success.

Using cybersecurity expertise during the design phase, verifying security requirements through penetration and fuzz testing, creating a responsible disclosure policy, and updating and maintaining devices in the postmarket setting are additional steps to take.

All of these steps are essential to incorporating security in the device design and development process, a move encouraged by the FDA in its October 2014 cybersecurity guidance.

“Just like safety, a security process is ongoing and living until that product is retired,” and manufacturers should adhere to this philosophy throughout the product lifecycle, said Melissa Masters, director of Battelle DeviceSecure Services, and her colleague Stephanie Preston, a senior medical device security engineer during a recent FDAnews webinar titled Medical Device Cybersecurity Quality Assurance: Requirements, Best Practices & Innovative Approaches. That said, “safety should always trump security,” she said.

Full Disclosure

Devicemakers also need a responsible disclosure policy for instances when a cyber vulnerability is identified by an outside party, Preston said. “Hackers and security researchers are going to be looking at your device.”

At least one device company, Philips, is taking it a step further, following the lead of tech leaders such as Google and offering “bug bounties,” or cash awards, to those who find and report security issues.

So, what’s the worst thing a devicemaker can do when someone reports a security vulnerability? According to Preston, it’s not responding at all. “Reporters are generally just trying to do the right thing,” she said. Ignoring the reporter means he or she could make the disclosure public, leading to greater embarrassment to the company.

To avoid such chagrin, companies should do the following:

• Establish a reliable way for a reporter to contact you;
• Respond to reports acknowledging receipt of their submission;
• Validate reporters’ finding, reaching out to them for additional information, if necessary;
• Consider asking the reporter for aid in validating any patches; and
• Work with the reporter to establish a public partial disclosure date.

Two industries that are leading the way in cybersecurity are the financial and airline industries. Preston says that methods used by the airline industry, in particular, correlate to medical devices.

“While the systems are larger, both in size and complexity, than most medical devices, the development regulations and reviews that an aircraft goes through have heavily evolved over the past few decades,” she said.

There are a number of resources to help devicemakers as they work to incorporate security into the design and development process, Masters and Preston said. The Association for the Advancement of Medical Instrumentation also is working on Technical Information Report 57, Principles for medical device information security risk management, which is expected soon, according to Masters. In addition, international standard ISO 14971: 2012 – Application of risk management to medical devices, provides an overview of the risk-management process through the medical device’s lifecycle.

There’s a growing concern in the medical device industry: cybersecurity. The FDA is issuing new guidances. Security researchers have published serious vulnerabilities, and patient safety is at stake. Bad publicity and potentially huge financial consequences are on the horizon. Are you ready? FDAnews’ Cybersecurity Threats to Medical Devices - Webinar CD/Transcript will show you how to stay vigilant and anticipate a variety of network threats.