Why MedTech Companies Must Have a Well-Documented Cybersecurity Risk Mitigation Game Plan

A few medical devices, thanks to rapid advent of new technologies, are now designed to facilitate patient care digitally. However, new-age technology in the medical device industry has increased the risk related to cybersecurity. The main cyberthreats include data theft, misuse of credentials and/or hijacking of resources.

The 2020 Data Breach Investigations Report by Verizon reported that 45% of breaches were through hacking while 22% involved phishing. As cybersecurity skills continue to be in demand, the average cost of a data breach was estimated at USD 3.86 million in 2020. Reportedly, the healthcare industry is prone to cyberattacks 2-3 times more than other industries. According to details published by the Secretary of U.S. Department of Health and Human Services (HHS), there were 642 healthcare-related data breaches — where 500 or more records were under attack. Such exploitations of unchecked vulnerabilities represent a high risk to patient health.

Cybersecurity in Healthcare

Cybersecurity incidents, such as ransomware, disrupt the use of medical devices and hospital networks, affecting the delivery of proper patient care across healthcare facilities. Such incidents have the potential to harm patients through errors in diagnosis or delays in treatment.

Cybersecurity is an area that needs focus, especially as data integrity and safety are becoming critical compliance issues with regulations including GDPR and HIPAA constantly updating requirements. Proactively addressing cybersecurity risks in medical devices will help reduce the overall risk. To ensure the functionality and safety of wireless and networked medical devices, the need for effective cybersecurity is imminent.

FDA and Safety

According to the FDA, medical device software is considered an addition or a component of the medical device. To that end, FDA finalized guidance in 2014 to help manufacturers incorporate cybersecurity as part of the design and development of medical devices —

• The premarket guidance updated in 2018 focuses on addressing cybersecurity threats before medical devices hit the market.
• Post market guidance on cybersecurity management in medical devices issued in 2016 addresses risk programs that should monitor, identify and address cybersecurity risks while being consistent with quality system regulations.

The FDA published policies on Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD). In addition to prioritizing the safety and effectiveness of medical devices, FDA has also made formal partnerships with the Department of Homeland Security, Department of Security, and National Security Agency and established MoUs with stakeholders to improve cybersecurity safety communications.

Proactive Risk Management Holds the Key

Medical device manufacturers must focus on the safety and performance of the device while investigating potential vulnerabilities. A robust risk management strategy will include threat modeling and a risk matrix to arrive at risk acceptability. Although the FDA mandates reporting of potential risks by manufacturer, healthcare provider and patient, few categories of cybersecurity vulnerabilities can be remediated without FDA reporting. Listed below are three broad categories —

• Reporting is not required for vulnerabilities of controlled and acceptable risks. These risks can be handled without reporting through routine updates and security patches, which FDA views as device enhancements.
• Reporting required for uncontrolled and unacceptable risks. These vulnerabilities include instances that cannot be contained through constant and routine checkups.
• Reporting is always required if the risk of vulnerability is likely to cause severe injury or death to the patient.

Having categorized the risk, it is essential to have a well-planned risk management program.

Every cybersecurity risk management program should include:

• Monitoring information sources to identify and detect vulnerabilities and risks within the system
• Maintaining a robust software lifecycle process that monitors, verifies and validates third-party software
• Understanding, assessing and detecting vulnerabilities
• Establishing processes for intake/handling vulnerabilities
• Developing mitigations
• Adopting vulnerability disclosure policy

CQ Risk Management Software, part of ComplianceQuest EQMS solution, leverages AI to spot potential risks based on historical and trending data along with key metrics. With embedded intelligence, medical device manufacturers can proactively focus on risk mitigation before it becomes a significant challenge. The software offers a clear and consolidated view of the organization’s risk spots through identification, evaluation, mitigation and continuous monitoring. The solution is 21 CFR Part 11 compliant that helps medical device companies to meet the requirements of FDA, ISO and other regulatory bodies.

This blog is based on the webinar “Medical Device Cybersecurity: Don’t be Vulnerable”.

To know more about FDA regulations on medical device cybersecurity, visit https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity