With the increasing use of wireless, Internet and network connected medical devices, it’s time to more closely monitor how well these products are built to protect sensitive data.

Are you networking to danger?

Obviously, devices that can connect to other devices, networks or the Internet are inherently more vulnerable to cybersecurity threats.

Devices that are remotely accessing, and electronically exchanging, health information present an open door for hackers, unless they are smartly designed with cybersecurity risk front and center.

The Food and Drug Administration (FDA) recently published guidance for pre-market submissions by medical device manufacturers, specifically calling for increased management of cyber security.

The agency suggests that manufacturers should be addressing cyber security during the design and development phases and that they should establish a risk management approach as a key scope of work within the validation of the device pre-market.

medical-device-security

Among the important considerations for a device are its intended use, environments where it will be deployed, vulnerabilities that are present and the probable risk of patient harm in the event of a breach. The FDA goes on to recommend that manufacturers develop a set of cybersecurity controls to assure device security and to maintain functionality and safety in the event of a cyber attack.

Questions to guide your best practices

Whether you’re a device manufacturer or a healthcare entity that is purchasing and deploying medical devices, here are some key questions you should be asking, based on best practices in information risk management and specific references within the FDA’s guidance:
[unordered_list style=”bullet”]

  • What are the specific cybersecurity risks that were considered when designing the device?
  • What specific controls were put in place to mitigate, avoid or effectively respond to these risks?
  • How does the device ensure secure data transfer to and from the device, and what methods of encryption does it use?
  • What steps are taken to limit access to trusted users only, i.e. automatic timing out of sessions, multi-factor authentication and strong password protection?
  • What features allow for security compromises to be detected, recognized, logged, timed and acted upon during normal use?
  • How are end users notified upon detection of a cybersecurity event?
  • Does the device have features that protect critical functionality even when it has been compromised by a cybersecurity event?
  • Can an authenticated user recover data and device configuration following an adverse event?

[/unordered_list]
In addition to evaluating specific devices to understand whether proper cybersecurity measures are “built in”, Clearwater recommends that healthcare entities spend time developing specific plans for the inherent information privacy and security risks that exist with medical devices across the board. It is also important to understand where these products fit within the broader scope of a thorough and strategic approach to information risk management. Doing so will close another door on would-be hackers and set your organization up to more effectively respond in the event of a successful cyber attack.

Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.

 

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.