Abel Archundia, managing director, global life sciences & industrials, ISTARI provides advice as to what medical device companies should do to ensure cyber resiliency.
Diyajyoti Shutterstock
2207000547
cyber resilience concept
Wearable devices are becoming increasingly important in clinical settings and for monitoring our day-to-day health and activity. Given the sensitivity of the data, cyber resiliency of medical devices must be robust and account for various factors and settings that may impact the efficacy of security controls and data privacy. This is particularly important in the context of wearables, from smartwatches to continuous glucose monitors, that are reliant on proper use by the user for their software to remain up to date and for network security.
When discussing the cyber resiliency of medical technology, we must consider two crucial aspects: the level of security of the device, and the level of security concerning the transferring, processing, and storing of the data produced. In both situations, third-party suppliers are likely involved. Given these aspects are critical to protecting personal data, the way they are built and work as an ecosystem must be closely examined for potential threats to resilience. Protecting these value chains is as difficult, possibly more so, as dealing with other ‘stand-alone’ issues. Despite the risks, many companies do not prioritise the cyber resiliency of their supply chains or operational ecosystem.
According to the Cyber Security Breaches Survey 2022, 13% of businesses assessed the risks posed by their immediate suppliers, with 7% reviewing the risks posed by their wider supply chain. This lack of visibility into third-party risks is concerning when fewer businesses control their supply chain in a way that might have been commonplace 30+ years ago - by owning every step. The fragmenting of the market into numerous smaller, specialist players have been notable and makes it more critical for companies to take supply chain resilience seriously.
Three steps to help build a cyber-resilient supply chain
Organisations must elevate their approach to cyber risks to avoid damage to their operation.
1. Define clear ownership - A dedicated team to evaluate and reduce third-party or supply chain risk tends to be more successful – ensuring visibility isn’t lost, and less potential weaknesses arise
2. Prioritise suppliers - Consider risk exposure-based factors when prioritising suppliers, including:
- The products or services they provide
- Access to data
- Which regulatory requirements apply
- If they have direct connectivity to systems
Highlighting the mission-critical suppliers is a crucial step. Take a risk-led approach to your supply chain, ranking suppliers in terms of the impact it would have on the business if something went wrong and prioritising interrogating and building resilience around them first. Companies need to orchestrate an internal discovery process to assess which third-party products exist within their environment, how they are produced and identify what aspects of the business they support.
3. Think ahead - Examine whether current contractual clauses are fit for purpose for the risk environment, not only for current regulatory compliance. Partners also need to be sought out to help anticipate future risks. Onboarding specialists can do this with continuous third-party risk management services.
Accountability
From a resiliency point of view, the environment in which devices operate is a second major factor; for example, gadgets like "smart" hospital beds or radiology equipment function in a highly-controlled medical environment. However, technology such as continuous glucose monitors or smartwatches is used in largely unmonitored day-to-day settings. Context is essential when evaluating these devices' resiliency and determining where legislators should focus on regulation.
Given many outside factors can generate gaps in security or privacy, device manufacturers have pushed back against being wholly liable for the resilience of their products. This brings the question of who is accountable for the security of medical technology. Medical device manufacturers must ensure that their devices perform in a specific manner within certain prescribed use parameters. They then need to recommend the conditions under which the buyer can most securely use the device. By leading this way, clinicians, users and eventually regulators will demand minimum standards or implement them de-facto.
This picture will become even more complex when developers integrate ML and AI deeper within these devices. The necessary increase in connectivity and data transfer between devices and edge or core systems will create more potential weak points. Whilst many are already cautious about medical data being pooled for the sake of analysis, research, and in time personalised health recommendations, devices with ML and AI embedded in them are inevitable. We must implement systems to account for this instead of playing catch up.
Resiliency can only be assured once those involved fully understand the risks. A vulnerable supply chain can cause a ripple effect of damages and disruptions. Therefore, clear strategies to protect the "crown jewels" of patient data and critical systems are needed. Failure means delays in adopting digital health which embeds advanced medical devices, and worsening public-health outcomes as a result.