10 Ways to Meet Medical Device Cybersecurity Expectations

Medical devices have been notoriously vulnerable to cyberattacks. They can be slow to get patched and are often based on older-version software. Hackers know this. It’s important for manufacturers to understand the potential threats facing their medical devices, even if their device doesn’t involve storing or transmitting sensitive patient data.

Attackers target medical devices for a variety of reasons:

• To gain access to information contained on the device
• To interfere with the device’s operation
• To use the device for general-purpose malware to achieve other purposes such as creating a botnet or sending spam
• To access the network or other computing equipment connected to the medical device

For all these reasons, regulators have raised the cybersecurity bar high for medical devices. Below are 10 things manufacturers can do to help meet regulators’ expectations, starting in design and development.

1. Determine regulatory and industry-standard cybersecurity requirements based on your target market(s) and customers’ desired cybersecurity capabilities of your product.

2. Integrate cybersecurity into your quality management system (QMS), risk management (RM) process and secure software development life cycle (sSDLC) processes, including vulnerability management and incident response.

3. Derive recommended security controls and capabilities and record them as part of your design inputs.

4. Perform security risk management and create a risk management file. The file should contain a threat model with all reasonably foreseeable cybersecurity threats, attack surfaces, attack vectors and cybersecurity risk control measures for each component within a well-constructed software bill of materials (SBOM).

5. Consult with regulators or a third-party expert early in the design process if you’re unsure about your product’s required security controls.

6. Develop and manufacture your product in a controlled environment to assure that requirements such as ISO 13485, ISO 14971 and IEC 62304 are met.

7. Verify and validate security risk controls through testing and reviews based on recommended standards and best practices, such as ANSI/CAN/UL 2900-1: Standard for Software Security for Network-Connectable Products Part 1: General Requirements; and ANSI/CAN/UL 2900-2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems.

8. Create appropriate product labeling to mitigate potential risks and inform device users of any residual cybersecurity risks so they have the opportunity to implement compensating controls as needed.

9. Include cybersecurity test reports and documentation in your design history file for use with pre-market regulatory clearance submissions required for market access.

10. Maintain cybersecurity throughout your product’s entire life cycle, from ideation to disposal.

These steps may be challenging for medical device manufacturers to consider but heeding them will go a long way toward supporting a safe, secure healthcare delivery system. For more information and tips on how to meet regulators’ cybersecurity expectations, check out our on-demand webinar.