Dave Easton, director of Zener Engineering Services, writes about how a medical device firm can protect its products against cybersecurity threats.
Digital data exchanges between medical devices and portable media containing patient health-related information presents a significant opportunity for clinicians to provide speedier and more appropriate healthcare.
More recently, an effective cybersecurity approach, to ensure medical device functionality and in-turn patient safety, has become more paramount, due to the increased use of the internet, cloud services and network-connected medical devices, for medical device manufacturers and healthcare providers alike.
Cybersecurity threats to all electronic installations have become more frequent. In May 2020 easyJet announced that a "highly sophisticated cyber-attack" had affected approximately nine million customers. Email addresses and travel details had been stolen and 2,208 customers had also had their credit card details "accessed".
Cybersecurity threats have become more frequent and, in the case of the healthcare setting, potentially more severe due to the risk of clinical patient impact. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the UK and globally.
In May 2017, WannaCry malware, which spread to more than 150 countries in a worldwide ransomware outbreak, was the biggest cyberattack to have hit the NHS to date. The malware encrypted data on infected computers and demanded a ransom roughly equivalent to £230. The consequences of the attack were exacerbated by the fact that an assessment of 88 out of 236 trusts undertaken by NHS Digital before the attack found that none passed the required cyber-security standards.
More and more medical devices are utilising software with varying degrees of potential patient impact. In the healthcare setting, cyberattacks can delay diagnoses and/or treatment and may lead to significant patient harm.
During the manufacturing process of the software-utilising medical device, a suitable approach to cybersecurity and software vulnerabilities needs to be established by the manufacturer.
In order to demonstrate a reasonable and trustworthy assurance of safety and effectiveness of new software-utilising medical devices, against cyber incidents, Regulatory Bodies require documented evidence of a suitable level of software security. Suitable documented evidence that proves a medical device demonstrates suitable and effective cybersecurity measures is part of the pre-market review.
In October 2018 the FDA released draft cybersecurity guidance, 'Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’. The functionality statement includes medical device considerations such as:
- Management of private data
- Security capabilities
- Audit controls
- Authorisations
- Security features
- Upgrades
Zener Engineering Services provides assistance to help medical device manufacturers design their devices in a way to help protect against cyber incidents and subsequent potential patient harm. ZES can advise and help implement suitable protection mechanisms to prevent all unauthorised use, whilst ensuring the security and integrity of the code, data, and the medical device's functionality.