5 Best Practices for Designing in Medical Device Cyber Security Controls

Geoffrey Parker | November 7, 2018 | 7 Min Read

There is no silver bullet for achieving security and it definitely cannot be considered an afterthought once a design has been completed, or considered at the development phase but forgotten about after deployment. Security needs to be a constant focus from product conception, design, development, deployment, maintenance, and support.

Increased connectivity between medical devices, other clinical systems, and the cloud has exposed medical devices to cybersecurity threats from which they were previously shielded. Connected medical devices are integrating a number of disparate technologies and cloud services that come from different vendors which can expose security flaws through their integration. In most cases, these components and services have not been developed to identify or mitigate these threats.

Webinar – Tackling Security of Connected Medical Devices

1. Designing in Security

Every medical device requires clearly setting out the design features and cybersecurity controls at the start of the design and development process. From a data protection strategy perspective, start out by clearly mapping out and defining your product or service ecosystem, and stakeholders. This will provide you with an understanding of how data travels through the system, where data originates, how it is to be processed, who owns and manages the data, who needs access to what parts of the data. For connected devices using cloud services for support and maintenance, this also helps to identify opportunities for how to secure the data and which regulations (FDA, HIPAA) apply. Once this is completed then a threat model can be developed as part of the risk assessment and control strategies.

How To Develop A Data Strategy – Download the eBook.

2. Develop a Risk Assessment and Control Strategy

The best place to start is with risk assessments of your current device deployments and to identify the required security and privacy controls that need to be put in place to help mitigate the most serious security threats and vulnerabilities.

Here are a few of the basics involved in implementing and maintaining security over time:

  • Undertake a privacy and security evaluation to ensure that the device has the required security controls to ensure that patient data is collected, stored, and transmitted in a way that is consistent with organizational policy.
  • Perform a threat risk assessment, this will help you identify what assets you have to protect, who or what may be the threat, the impact of a loss on your organization or patients, the value of the assets, and what you should do to minimize risks to the assets.
  • Develop a threat model or an attack tree, which is a blueprint that lays out how an attacker may successfully fulfill their objective, whether that objective may be stealing health records, or exploiting a vulnerability in an implant device to cause harm.

3. Conduct Regular Security Audits

Conducting regular audits of people, processes, and technology helps to identify current known threats and allow you to mitigate the risks. To prepare for an intrusion, companies whose devices may be subject to hacking (which is all companies) should look to schedule audits and develop and review their incident response plan. When it comes to audits of medical devices, penetration testing is a recommended approach. Penetration testing is an authorized simulated attack on a company’s security by way of interconnectivity devices and communications systems or processes and people. These tests help to evaluate how easy it is for criminal hackers to breach the security to gain resources such as data, disrupt operations or modify systems that could impact patient health. The objective of penetration testing is to identify vulnerabilities and weaknesses in the system, allowing a full risk assessment to be completed. However, penetration testing is not a “one and done” solution and companies can fall victim to complacency if they do not effectively manage the audit.

4. Prepare a Pre-Audit Checklist

Before your organization begins the auditing process, to save the company time and money, it is recommended that you first answer the following questions.

Information Classification: What information is valuable or sensitive, and think beyond just patient information. Consider access controls, audit logs, security keys, codebases, etc. – Answering this question will help both the auditor and the company determine what security controls should be implemented to protect the information and where to implement them to be most effective.

Threat Assessment: What threats do your client’s sensitive information and medical devices face? – having an understanding of who and how one may wish to illegally access patient records, or exploit a vulnerability in implanted medical devices to harm a patient will assist the auditor to look at the most relevant vulnerabilities and the likelihood that they may be exploited.

Audit Objective: The objective for an audit is an important goal that is set to prioritize the time and other resources an auditor will spend on the areas most critical to the customer. What deliverables are you expecting from the Audit? – you will save time if you can answer this question.

Audit Scope: It is critical that the right systems, people or organizations are being audited. This is different from the audit objective and it focuses on what the company will allow the auditor to do in its pursuit of the objective.

5. What to do “not if” but “when” we get hacked

Assume you will be hacked at some point. Be prepared to respond with a plan for incident response and handling, business continuity, disaster recovery, and lessons learned. Your plan should take into consideration some of the following elements:

  • A framework for incident response and handling. Use the US government’s National Institute of Standards and Technology (NIST) Special Procedure (SP) 800-61 as a reference.
  • Determine the scale and scope of the incident.
  • What steps need to be taken between Detecting an incident and Post-Incident Activity; how do we get back to normal operations?
  • Clearly outline and communicate who is responsible for what actions when an incident occurs, and who must be notified.
  • Stress-test your plan
  • What lessons have we learned from the incident?

This post isn’t meant to keep you up at night about what could happen but rather highlight the considerations that need to be taken into account to keep your medical devices and network security. Like any risk, a proper mitigation strategy can make the difference between a risk occurring and impacting your organization versus one that everyone in the organization is aware of and contributes efforts to manage and reduce the risk of occurring.

If you are exploring bringing a connected medical device to market, let’s chat about how Macadamian can provide added expertise in cybersecurity and interoperability.

Contact Us

For those who wish to learn more, download below our best practices guide to securing connected medical devices. Inside you’ll find detailed insights and resources for protecting your product from a growing number of cybersecurity threats.

Guest Author: Justin Gratto, Senior Security Consultant, Secure State Cyber

Download: Best Practices for Securing Connected Medical Devices

Suggested Stories

Health Information System Integration

In this webinar, we discuss interoperability in healthcare and answer attendee questions on Health Information System integration. Download the webinar Now.

Read More

Guide to Creating Engaging Digital Health Software

This guide shares our knowledge and insights from years of designing and developing software for the healthcare space. Focusing on your user, choosing the right technology, and the regulatory environment you face will play a critical role in the success of your application.

Read More

Accelerate Time To Market Using Rapid Prototyping

In this webinar, you will learn how to leverage rapid prototyping to accelerate your products time to market in one week, agile sprints.

Read More