5 Best Practices for Designing in Medical Device Cybersecurity Controls

Published on November 13, 2018

Connected Medical Devices Are Integrating A Number Of Disparate Technologies And Cloud Services Which Can Expose Security Flaws Through Their Integration. Find Out What The Key Steps Are In Designing In Cybersecurity Controls.

Increased connectivity between medical devices, other clinical systems, and the cloud has exposed medical devices to cybersecurity threats from which they were previously shielded. Connected medical devices are integrating a number of disparate technologies and cloud services that come from different vendors which can expose security flaws through their integration. In most cases, these components and services have not been developed to identify or mitigate these threats.

1. Designing in Security

Every medical device requires clearly setting out the design features and cybersecurity controls at the start of the design and development process. From a data protection strategy perspective, start out by clearly mapping out and defining your product or service ecosystem, stakeholders.  This will provide you with an understanding of how data travels through the system, where data originates, how it is to be processed, who owns and manages the data, who needs access to what parts of the data. For connected devices using cloud services for support and maintenance, this also helps to identify opportunities to how to secure the data and which regulations (FDA, HIPAA) apply. Once this is completed then a threat model can be developed as part of the risk assessment and control strategies.

You might likeHow to Create a Product Ecosystem Map

2. Develop a Risk Assessment and Control Strategy

The best place to start is with risk assessments of your current device deployments and to identify the required security and privacy controls that need to be put in place to help mitigate the most serious security threats and vulnerabilities.

Here are a few of the basics involved in implementing and maintaining security over time:

  • Undertake a privacy and security evaluation to ensure that the device has the required security controls to ensure that patient data is collected, stored, and transmitted in a way that is consistent with organizational policy.
  • Perform a threat risk assessment, this will help you identify what assets you have to protect, who or what may be the threat, the impact of a loss on your organization or patients, the value of the assets, and what you should do to minimize risks to the assets.
  • Develop a threat model or an attack tree, which is a blueprint that lays out how an attacker may successfully fulfill their objective, whether that objective may be stealing health records, or exploiting a vulnerability in an implant device to cause harm.

E-GuideDeveloping a Health Data Strategy

3. Conduct Regular Security Audits

Conducting regular audits of people, processes and technology help identify current known threats and allow you to mitigate the risks. To prepare for an intrusion, companies whose devices may be subject to hacking (which is all companies) should look to schedule audits and develop and review their incident response plan. When it comes to audits of medical devices, penetration testing is a recommended approach. Penetration testing is an authorized simulated attack on a company’s security by way of interconnectivity devices and communications systems or processes and people. These tests help to evaluate how easy it is for criminal hackers to breach the security to gain resources such as data, disrupt operations or modify systems that could impact patient health. The objective of penetration testing is to identify vulnerabilities and weakness in the system, allowing a full risk assessment to be completed. However, penetration testing is not a “one and done” solution and companies can fall victim to complacency if they do not effectively manage the audit.

4. Prepare a Pre-Audit Checklist

Before your organization begins the auditing process, to save the company time and money, it is recommended that you first answer the following questions.

  • Information Classification: What information is valuable or sensitive, and think beyond just patient information.  Consider access controls, audit logs, security keys, code bases, etc. – Answering this question will help both the auditor and the company determine what security controls should be implemented to protect the information and where to implement them to be most effective. The most important information should have the most restrictive security controls to access it, and least important information should have least. Well-determined information classification can save the auditor time, as well as save the company money when performing tests and developing mitigation strategies by determining the asset value (AV) and the exposure factor (EF), the likelihood a vulnerability or threat adds to the percentage chance that a loss will occur to an asset.
  • Threat Assessment: What threats do your client’s sensitive information and medical devices face? – having an understanding of who and how one may wish to illegally access patient records, or exploit a vulnerability in implanted medical devices to harm a patient will assist the auditor to look at the most relevant vulnerabilities and the likelihood that they may be exploited. It will also assist the company in making the financial decision such as which mitigation strategies suit the company’s needs in protecting sensitive information and ensuring the safety of the patient. The threat landscape is rapidly evolving and getting more and more complex so unless you have cybersecurity experts within your company, it is suggested you let the auditor help you with this step.
  • Audit Objective: The objective for an audit is an important goal that is set to prioritize the time and other resources an auditor will spend on the areas most critical to the customer. What deliverables are you expecting from the Audit? – you will save time if you can answer this question. It may be to achieve or strengthen your compliance with such regulations such as HIPAA or HITECH. Or, to protect critical assets like patient information that are on legacy equipment and operating systems that you are unable to replace? Is it to test how your overall IT security measures up because the company is concerned about their security state in light of all the recent cyber-attacks and data breaches?
  • Audit Scope: It is critical that the right systems, people or organizations are being audited.  This is different from the audit objective and it focuses on what the company will allow the auditor to do in its pursuit of the objective. The company and auditor, therefore, will come to a written agreement about what can and cannot be targeted in an audit. When it comes to in-home Healthcare devices and data, it is generally the provider of the devices who will wear the responsibility, therefore it is suggested that the people, processes, and technology surrounding the issuance, administration and maintenance of in-home Healthcare devices be part of the audit scope.

5. What to do “not if” but “when” we get hacked

Assume you will be hacked at some point. Be prepared to respond with a plan for incident response and handling, business continuity, disaster recovery, and lessons learned. Your plan should take into consideration some of the following elements:

  • A framework for incident response and handling. Use the US government’s National Institute of Standards and Technology (NIST) Special Procedure (SP) 800-61 as a reference.
  • Determine the scale an scope of the incident.
  • What steps need to be taken between Detecting an incident and Post-Incident Activity; how do we get back to normal operations?
  • Clearly outline and communicate who is responsible for what actions when an incident occurs, and who must be notified.
  • Stress test your plan
  • What lessons have we learned from the incident?

This post isn’t meant to keep you up at night about what could happen but rather highlight the considerations that need to be taken into account to keep your medical devices and network secure. Like any risk, a proper mitigation strategy can make the difference between a risk occurring and impacting your organization versus one that everyone in the organization is aware of and contributes efforts to manage and reduce the risk of occurring.

There is no silver bullet for achieving security and it definitely cannot be considered as an afterthought once a design has been completed or considered at the development phase but forgotten about after deployment.  Security needs to be a constant focus from product conception, design, development, deployment, maintenance, and support. What you do at each of these stages is unique for each stage. What should be common across it all is a culture and quality management approach with a singular focus on keeping your solution secure.

Learn More:  Register for our Free Webinar: “How to Tackle CyberSecurity for Connected Medical Devices

Guest Author Geoffrey Parker Director of Healthcare Software Developmentt, at  Macadamian’s.