Medical device cybersecurity has a long lifecycle. Manufacturers put much of their effort into gaining approval from the Food and Drug Administration (FDA). Following FDA guidance regarding all the security controls isn’t the law, but the agency can reject premarket submissions. These continue as the device goes to market, and operational cybersecurity is now a shared responsibility.
Hospitals and healthcare organizations are accelerating their use of medical devices. They have become critical in diagnosis and care. They do, however, increase risk, expanding the attack surface. Healthcare sits at the top of industries with the most attacks and has inherent weaknesses in its perimeter.
What’s the role of manufacturers in supporting operational cybersecurity?
Post-Clearance: Medical Devices in Use and at Risk
Once a medical device receives approval and is in use, that’s when risk elevates. They often become part of a network, and the reliability of it as a strong defense is out of the control of manufacturers.
What device makers have done prior to this is create an SBOM (software bill of materials) and a patching plan. If they determine there is a vulnerability, they must then immediately dispatch the update. They’ve also done tremendous testing on the integrity of the device to be cyber-secure and resilient.
All that work can be undone if the hosting party has a weak defense. Perimeter controls are notoriously ineffective. Simply having visibility across an extensive network of devices challenges most healthcare security teams.
While hacking a device is possible and could jeopardize care, most cyber criminals simply want the data healthcare holds. The PII, PHI, and other sensitive information are gold for these folks. A medical device could be a way in, which is where software vulnerabilities come into play. Manufacturers are watching those.
What happens when it’s not a software weakness? Social engineering and phishing are preferred methods for hackers. Why? Because they work. AI is supercharging these efforts, with people falling victim and exposing their credentials. If this is the path for a breach, manufacturers aren’t in the ecosystem, but they could be on the hook for the blame game.
Data breaches require notification and reasons, and if a device is part of that, it could harm a manufacturer’s reputation.
That’s why every stakeholder needs to collaborate.
Medical Device Makers and Hospitals Working Together
One of the biggest challenges in operational cybersecurity for medical devices is a disconnected landscape. The FDA has purview over approvals and can enforce penalties for cyber incidents, but they’ve not gone as far as to create collaborative groups between parties.
Since that’s likely not a priority, manufacturers and healthcare organizations should form these task forces. Ultimately, both want devices to be secure and integrated into care regimes.
By pooling resources and communicating regularly and effectively, everyone can form a more proactive stance on cybersecurity. Some key things they could put on the agenda include the following:
1. Ensure all organizations have an accurate inventory of all medical devices.
This has been a concern for some time. It’s not just the new devices purchased. There is a secondhand market for devices, and manufacturers often don’t know where they go. If they’re unaware of their location, they can’t patch or update them.
2. Integrate FDA guidance for manufacturers into healthcare cybersecurity frameworks.
Many of the best practices and directives have relevance beyond the manufacturer. Healthcare certainly has many regulations to adhere to when it comes to data security, but they often overlook the role of devices. They simply lack the expertise in most cases.
3. Develop a cadence for penetration testing.
Manufacturers and healthcare should unite on this and hire experts to perform these. Collectively, you’ll learn much more from pen testing than from anything else.
4. Enable access to SBOMs.
A SBOM is not a one-and-done. It needs to be actively updated. Having these accessible to invested parties provides transparency.
In addition to manufacturers and providers, these groups can also benefit from outside experts like our team. We focus specifically on the medical device space with services for any need. Get in touch to learn more.