Unlocking the Importance of Cybersecurity Labeling for Medical Devices
In the rapidly evolving world of medical technology, cybersecurity has become a critical concern for both manufacturers and healthcare providers. As devices become increasingly connected and data-driven, the need for transparent and comprehensive cybersecurity labeling has never been more pressing.
In this blog post, we’ll explore the nuances of cybersecurity labeling, its role in fostering accountability, and the best practices for medical device manufacturers to communicate security information to their customers effectively.
Understanding Cybersecurity Labeling: A Primer
Cybersecurity labeling, in the context of medical devices, refers to the information that manufacturers must provide to users and patients regarding the security risks and mitigations associated with their products. This labeling serves a dual purpose: it empowers healthcare providers to make informed decisions about the devices they purchase, and it holds manufacturers accountable for the security of their products.
As Christian Espinosa, CEO of Blue Goat Cyber, explains, “Labeling is the information that a manufacturer or a MedTech innovator needs to portray to users and patients. This will essentially fall under the cybersecurity context. What risk are they taking on by using the product, and how can they work to mitigate that risk?”
The concept of cybersecurity labeling is not entirely new, as it builds upon the long-standing tradition of product labeling in the medical device industry. However, the increasing focus on cybersecurity has brought this aspect of labeling into sharper focus, with regulatory bodies and healthcare organizations demanding more transparency and accountability from manufacturers.
The Role of Standardized Approaches: MDS2 and JSP2
To streamline the cybersecurity labeling process, the industry has adopted several standardized approaches, including the Manufacturer Disclosure Statement for Medical Device Security (MDS2) and the Medical Device and Health IT Joint Security Plan, version 2 (JSP2).
The MDS2 is a questionnaire that manufacturers must complete to disclose specific details about their product’s security features, including the type of encryption used, authentication methods, and compliance with various security standards. As Trevor Slattery, Chief Technology Officer at Blue Goat Cyber, explains, “The MDS2 is essentially saying, it’s a questionnaire. I think it’s about 180 line items, and it’s different questions about the product document, basically that a manufacturer has to fill out to disclose certain information, like what type of encryption you have, what type of authentication you’re using.”
The JSP2, on the other hand, focuses more on the customer-facing aspects of cybersecurity labeling, guiding users on how to configure and integrate the device into their existing systems. As Slattery notes, “The JSP2 customer security documentation goes into more on the what the user should do side. So, MDS2 is facts about the product, and JSP2 is how to use those facts to increase your security posture.”
By leveraging these standardized approaches, manufacturers can ensure that they are providing a comprehensive and consistent set of cybersecurity information to their customers, making it easier for healthcare providers to compare and evaluate different medical devices.
Addressing Common Misconceptions About Cybersecurity Labeling
Despite the growing importance of cybersecurity labeling, several misconceptions persist that manufacturers must address. One of the most common concerns is the fear that disclosing security information will make their devices more vulnerable to attacks.
As Slattery explains, “Part of that comes from the software bill of materials being part of labeling. So, you’re disclosing the different components of the product. Part of that comes from disclosing the potential risks in the product. Part of that comes from disclosing the architecture. And while if you have an insecure product, that information can be leveraged by attackers, if you have an insecure product, they’re going to attack it anyway.”
In other words, the transparency required by cybersecurity labeling is not a vulnerability in itself, but rather a means of holding manufacturers accountable for the security of their products. By disclosing potential risks and security measures, manufacturers are incentivized to address these issues proactively, rather than relying on “security through obscurity.”
Another common misconception is the uncertainty around where to start with cybersecurity labeling. As Slattery notes, “The FDA has a list of requirements that they want to see for labeling, and we often get a lot of questions, ‘Oh, is this going to be covered by MDS2? Is this going to be covered by our software documentation?’ And the answer is sometimes.”
To address this challenge, manufacturers should adopt a hybrid approach, combining the MDS2 and JSP2 frameworks to ensure that they are covering all the necessary bases. By understanding the specific requirements of their target audience, whether it’s a hospital, a private practice, or a consumer, manufacturers can tailor their cybersecurity labeling to meet the needs of their customers.
Balancing Transparency and Technical Complexity
One of the key challenges in cybersecurity labeling is striking the right balance between providing detailed technical information and ensuring that the content is accessible and understandable to a wide range of users, from healthcare IT administrators to patients.
As Slattery explains, “There are two different kinds of groups that are going to look for this information. The first is the actual user, who we’re assuming doesn’t know very much about cybersecurity. And so when we’re talking about that level of information, we want to make sure that that user is well informed on any potential risk in common language as well as any common mitigations in common language.”
For more technically inclined users, such as hospital IT administrators, the labeling should provide more detailed information about the device’s architecture, network integration requirements, and specific security controls that can be implemented.
Slattery emphasizes the importance of this balance, saying, “We also want to have some more information for a hospital IT administrator who’s likely going to be more familiar with these technical terms. And so, how will they integrate this into a complex network? What network controls can they implement? Do they need to make any changes to their firewall?”
By catering to the needs of both technical and non-technical users, manufacturers can ensure that their cybersecurity labeling is comprehensive, transparent, and accessible to all stakeholders.
Contextualizing Cybersecurity Labeling: Understanding the Audience
Another critical aspect of effective cybersecurity labeling is understanding the specific context in which the medical device will be used and the requirements of the target audience. As Slattery notes, “The requirements if you’re selling direct to consumers for labeling are likely going to be pretty thin. You might not even be asked for your labeling most of the time. You should still provide it, regardless. But if a patient is buying your device directly, is what you’re saying, versus it being deployed in a, um, clinic or hospital.”
The level of detail and specific information required can vary significantly depending on the healthcare delivery organization (HDO) that will purchase and use the device. As Espinosa explains, “Mayo Clinic has different acquisition policies from you know, like any other different hospital, like a private hospital is going to have its own thing. Public hospitals, also known as government hospitals, will have their own procedures. So understand where this product is going and cater to what they’re going to expect.”
By tailoring their cybersecurity labeling to the specific needs and requirements of their target audience, manufacturers can ensure that their products are not only compliant with regulatory standards but also meet the expectations of the healthcare organizations that will be responsible for their implementation and use.
Cybersecurity Labeling as a Tool for Accountability
Beyond simply providing information, cybersecurity labeling can also serve as a powerful tool for holding manufacturers accountable for the security of their medical devices. As Slattery points out, “Part of the drive to push out all this information is the thought that manufacturers should not have very many problems to disclose. They should be addressing security at a solid level.”
By requiring manufacturers to disclose detailed information about their security measures and potential vulnerabilities, the labeling process creates an incentive for them to prioritize cybersecurity throughout the product development lifecycle. As Espinosa notes, “If they are disclosing saying we’re using triple DES in our system, they shouldn’t get purchased by someone. That is their fault for designing an insecure product.”
This accountability extends beyond the regulatory requirements, as HDOs are increasingly taking on the burden of liability for the security of the medical devices they purchase. As Espinosa explains, “The FDA is not taking on the burden of liability for this product. The hospital is taking on that burden of liability. So if they take in an insecure device, if they have an X-ray machine that can be hacked, and then that X-ray machine gets hacked and they get ransomware because of it, that is the hospital at liability.”
By demanding comprehensive cybersecurity labeling, HDOs can make more informed purchasing decisions and hold manufacturers accountable for the security of their products, ultimately improving patient safety and reducing the risk of costly data breaches or ransomware attacks.
Key Takeaways for Medical Device Manufacturers
- Know your information: Familiarize yourself with the MDS2 and JSP2 frameworks, as well as the specific labeling requirements set forth by the FDA and your target healthcare delivery organizations. Ensure that your engineering and documentation teams are prepared to provide the necessary information.
- Know your audience: Tailor your cybersecurity labeling to the specific needs and technical expertise of your target users, whether they are healthcare IT administrators, clinicians, or patients. Balance technical details with clear, accessible language.
- Use labeling as a tool for accountability: Embrace cybersecurity labeling as an opportunity to demonstrate the security of your medical devices and hold yourself accountable for addressing potential vulnerabilities. This transparency can be a competitive advantage in the market.
By embracing the principles of comprehensive, transparent, and context-driven cybersecurity labeling, medical device manufacturers can not only meet regulatory requirements but also build trust with their customers, improve patient safety, and position themselves as leaders in the rapidly evolving landscape of medical technology security.