Medical Device Breaches in 2015
After a number of major data breaches in 2015, which resulted in 112 million compromised health records, Medical Device Manufacturers are the newest target for cybersecurity.
With an ever-growing number of medical devices connecting to both internal networks and the Internet, the threat for attacks on such devices has increased tremendously in the past year. In response, the Federal Drug and Food Administrations (FDA) has drafted a new set of guidelines for manufacturers in the medical device field.
The FDA’s general principles suggest that manufacturers develop a set of cybersecurity controls to keep medical devices threat free and safe. Under these guidelines, the overall security of medical devices is a shared responsibility between health care facilities, patients, providers and manufacturers, as a failure to maintain medical device security could result in an illness, injury, or death.
The new FDA guidelines indicate that medical device manufacturers should address cybersecurity vulnerabilities during design and development through the following measures:
- Identification of assets, threats, and vulnerabilities;
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
- Assessment of the likelihood of a threat and of a vulnerability being exploited;
- Determination of risk levels and suitable mitigation strategies;
- Assessment of residual risk and risk acceptance criteria.
According to the Guidance for Industry and Food and Drug Administration in relation to the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, medical device manufacturers should provide the following information as it relates to cybersecurity risks in their device(s):
1.) Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:
- A specific list of all cybersecurity risks that were considered in the design of your device;
- A specific list and justification for all cybersecurity controls that were established for your device.
2.) A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered.
3.) A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness. The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity.
4.) A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer; and
5.) Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall).
Click here to read more about Device Regulations and Guidelines from the FDA.
Please contact our Information Security Specialists with any questions you have regarding Medical Device Cybersecurtiy
In this blog post, we discuss how outsourcing cybersecurity operations to a vCISO can help businesses, including SMBs, tackle the cybersecurity talent shortage.
In this blog post and video, we explore need-to-know privilege in cybersecurity and why it’s important for organizations to assign user permissions on a need-to-know basis.
In this blog post, we discuss the importance of email security for businesses and explore the VIPRE and Sendmarc email protection technology solutions.