From: Boston Business Journal by: Cyndi Izzo
The frequency and severity of medical device risks are escalating as medical devices proliferate in number and cyber-attackers turn their attention to vulnerable environments.
Medical devices represent a ripe target for cyber-threats due to a combination of two factors:
New technology-enabled, networked, and interconnected medical devices are being introduced. These advanced devices increase clinical effectiveness, but open up new attack vectors and cyber-risks. There are still a significant number of older medical devices in use today. These are often insecure, and poorly managed. The current state of vulnerable medical devices is unacceptable and requires an immediate, industrywide call to action. In order to address ever-mounting cybersecurity threats, organizations must take a systematic approach to identification, mitigation, and remediation of risk. This will require all parties (from manufacturers to health care providers) to collaborate to identify cyber-risks and related threats, and plan for mitigation and remediation, to ensure the ongoing safety and security of patients.
The cyber-threat landscape Medical devices in their current state may contribute to the likelihood that the device itself and critical health care services or an entire organization will be compromised. This is due to inadequate cybersecurity practices and governance across the lifecycle of most medical devices.
Any device configured to connect with another device is at risk of an attack. These risks will only escalate in number and severity as organizations and consumers introduce wearable technologies into their everyday lives, make further use of big data capabilities, transmit patient data to different sources over multiple networks, and continue to take advantage of smart computing devices, such as portable electrocardiogram monitors, continuous glucose monitors, wearable defibrillators, etc.
Who's in charge? Many organizations have a multi-stakeholder team responsible for medical device cybersecurity, including corporate IT, product security, product engineering, research and development, risk, legal, compliance, and trusted third parties. The problem is that many different policies, procedures, and controls are referenced when making design, control, and governance decisions, and there is no lead owner to mediate among them.
Organizations can benefit from adopting a “one-policy” view of cybersecurity. This policy should be based upon a thorough evaluation of the specific cyber-threats to a medical device manufacturer, including threats to its products, business processes, supply chain, IT infrastructure, software development, and relationships with third parties.
A regulatory imperative Governments, healthcare industry advocates, medical device manufacturers, and patients have been concerned with cybersecurity for quite some time. Most recently, in early 2016, the Food and Drug Adminstration (FDA) issued draft guidelines for medical device manufacturers that call for cyber-threat intelligence sharing. The FDA’s recent guidance stipulates that an effective cybersecurity risk management program is necessary at both the pre-market and post-market stages. The FDA also appeals to and encourages medical device manufacturers to practice cyber-threat intelligence sharing.
Despite these efforts, many organizations are struggling to understand the FDA’s recent guidance and how to implement recommended changes.
Where to start? As with most initiatives, organizations identify what is at risk and then steer their investments to ameliorate them. This requires that medical device manufactures identify and prioritize cybersecurity threats to their product portfolios. To do this, organizations need to employ a number of review and assessment techniques that include:
Statistical and dynamic code analysis Vulnerability assessments Penetration tests Gap assessments Key control testing Further, organizations should collect and analyze threat intelligence to substantiate existing and emerging threats.
KPMG LLP (KPMG) is a leading advisor to the healthcare and life sciences industry, providing strategy, advisory, audit and tax services to assist clients in growing their business, enhancing performance, and managing risks.