By Axel Wirth, Christopher Gates, and Jason Smith

Cybersecurity for medical devices is no longer optional. That is the new reality medical device manufacturers are facing. However, how to implement lifecycle management processes that lead to secure devices, without blowing up engineering budgets and while capturing market share, is much more of a challenge.

Medical cybersecurity professionals Axel Wirth and Christopher Gates aim to help manufacturers face this new reality in their new book, Medical Device Cybersecurity for Engineers and Manufacturers (Artech House, Aug. 31, 2020. ISBN: 9781630818159).

Healthcare is considered one of the nation’s 16 critical infrastructure sectors—like energy, communications, water, chemical, transportation, and so on—and the medical device industry was among the first to be regulated to produce secure embedded systems. Moreover, several high-profile cyberattacks in recent years have proved expensive and disruptive to healthcare organizations. The most well-known of these was probably 2017’s WannaCry ransomware outbreak that impacted 81 of 236 National Health Service (NHS) hospitals in the UK. Incidents like WannaCry and others are driving healthcare delivery organizations to implement much stricter purchasing criteria and to seek ongoing support from medical device manufacturers for cybersecurity. 

These factors have put manufacturers in the odd position of being trailblazers in what is often unfamiliar territory. Secure development has nothing in common with the practice of medicine; instead, it has everything to do with the subtlety of design, quality of implementation, the right testing strategy, understanding the threat landscape, and awareness of potential attack vectors used by malicious actors. Addressing these concerns within the creation of a new medical device can be quite the balancing act. Maintaining this balance is exactly what Wirth, Gates, and Smith’s new book seeks to help manufacturers accomplish, with some important concepts to keep in mind.

Security Must Be Fully Integrated 

To produce a secure device that can achieve regulatory approval and meets emerging, customer-driven market entry requirements, security activities must be fully integrated into design, development, and production. The era of “late-stage” or “afterthought” security, in which the primary goal is to check the “security” box, is over. 

Manufacturers of embedded devices must learn and adopt the Cybersecure Development Lifecycle. This new approach streamlines development, enables real-time feedback from security activities to inform design, and produces the traceable artifacts needed to comply with existing and evolving regulations. It assures the purchasers of the device of its secure status and demonstrates the manufacturers’ ability to provide adequate post-market support.

Security Depends on Total Lifecycle Awareness 

Manufacturers’ cybersecurity responsibilities extend both upstream and downstream of actual development. Designing a secure device means enforcing controls and assurances on the manufacturer’s supply chain. Supporting a secure device post-market requires preparation during design and production to enable security maintenance and surveillance as well as meeting a client’s security needs, e.g., during incident response.

If a Device Is Not Secure, It’s Not Safe 

In today’s environment of software-based and integrated medical devices, safety and security are inextricably linked. If a device cannot be demonstrated to be secure, it cannot be considered safe. That’s because without adequate cybersecurity controls, a malicious actor or a random encounter with malicious code (such as a worm) could interfere with the device’s quality and safety features. 

Increasingly, we are finding more examples of such interferences, and becoming better able to assess their potential impacts on patient safety and care delivery. While we must not allow sensationalism or headlines to drive the discussion, we must recognize its strategic importance to our public health system and we must proceed with urgency. This is, in the end, about preventing patient harm and preserving patient trust. 

We Need to Look at the Entire Security Investment 

Cybersecurity needs to be implemented where it is most effective and where it results in the lowest total cost over the device’s useful life—and that is achieved by implementing proactive security during device design. Any other approach is reactive and pushes security responsibility down the line. This not only increases the burden and total effort required to secure the device, but it also weakens the security posture of the entire device ecosystem.

Making Secure Devices Is Good for Business 

The case for securing medical devices isn’t limited to patient safety. The awareness of the manufacturer’s business risk due to inadequate cybersecurity in device design, development, and production is also growing. 

Intellectual property exposure, counterfeiting of disposable accessories, loss of reputation and market share, delays in regulatory approval, and loss of opportunity—all these business risks can be mitigated through proactive adoption of the Cybersecure Development Lifecycle. Meanwhile, those who do implement this approach will gain a competitive edge in the marketplace, by simultaneously decreasing compliance-based risk while increasing clients’ trust.

Need for Guidance

Because awareness of all these concerns has not been widespread in the embedded device industry until relatively recently, approaches for incorporating secure development practices into the development lifecycle were not taught in traditional engineering programs. And while there are many domestic and international standards for securing medical devices (and “Internet of Things” devices in general), these guidelines are not yet harmonized and do not provide sufficient details to successfully implement security-capable engineering processes. In other words, they provide the “what” but not the “how.” Models and best practices specific to the medical device environment simply have not yet been established.

Lack of training and mature resources for all levels of engineers, project and engineering managers, and senior leadership is a critical shortfall. It has been difficult for medical device manufacturers to produce proactively secured devices and to constructively engage with regulators and customers on the topic of cybersecurity. 

It was after recognizing these challenges, and spending a long time working with manufacturers and healthcare delivery organizations, that Wirth and Gates decided to author Medical Device Cybersecurity for Engineers and Manufacturers. Their book provides guidance on how to adopt a secure medical device lifecycle that is repeatable, maintainable, produces the right artifacts needed for regulatory submission, and improves the security standing of the individual medical device as well as the resilience of the larger device ecosystem.

Medical Device Cybersecurity for Engineers and Manufacturers (Artech House, Aug. 31, 2020. ISBN: 9781630818159) is currently available to the public. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].