4 Steps to Deploy a Cybersecurity Postmarket Strategy

by Q1Web AdminNov 13, 2017Blog, Medical Device

While the development of innovative technologies and connected devices continues to flourish, public concern surrounding cybersecurity has increased significantly in recent years. With various news stories breaking about hackers and system failures due to cyber security breaches, the recognition of a potential cybersecurity risks in medical devices is at an all-time high. In many cases, devices that are currently being used across the country, and around the world, were designed before cybersecurity was a critical area of concern. Now these devices are operating in an environment where there are risks present that they were not designed to meet.

The medical device industry has to adapt older devices with a longer shelf-life to ensure they are compliant against emerging threats. I spoke with Steven Abrahamson, Director of Product Security Engineering and Privacy at GE Healthcare, about some of the mechanisms and steps he uses to identify risks, and how to appropriately deal with them. “We have to make sure we are looking at it rationally, and recognizing what the risks really are” explained Steven Abrahamson, a speaker at last year’s Global Postmarket Surveillance of Medical Devices Conference. “There are various things we can do to monitor what the threat level and activity levels are in the field, so we don’t expend resources addressing risks that may not be significant.”

The following four steps, defined by Steven Abrahamson, outline how to most efficiently deploy a cybersecurity postmarket strategy.

Internal Inputs: Engage Stakeholders

It’s very important to make sure you aren’t viewing cybersecurity purely as an engineering issue. Ideally, start with a central product cybersecurity team that can work closely with the people in engineering, regulatory, legal, supply chain, service, sales, product management, and others to plan a comprehensive strategy addressing emerging cybersecurity concerns.

When handling specific vulnerabilities, there is always a lot of information available. Many different vulnerabilities can be identified internally, and each has an effect on a different type of product or device. It is important to assess which vulnerabilities pertain to your specific devices, as there are many that don’t have a significant impact on medical devices, given how they are used and the environment that they are used in.

There should be a mechanism in place to translate the external information into data that can be used internally to assess the risk in devices. As well as the full engagement of everyone involved in managing risks in your product portfolio across the business.

Define an Executable Process: Vulnerability Inputs, Screening, and Risk Assessment

“If a process is not executable it doesn’t do anyone any good” explained Abrahamson. There are many identifiable vulnerabilities out there, so it is important to translate them into a list that is actionable by the product engineering team. For example, if you have a list of a thousand vulnerabilities that may affect the device, a manufacturer is not going to know what to do with that. You have to put in place a mechanism to identify which vulnerabilities are potentially impactful. From there you can work with the engineering team to create a process that determines what the risk level is, and where you have to take action.

While it is important make an actionable plan with any manufacturer, when dealing with a larger manufacturer, that might have hundreds of products and tens of thousands of devices, you have to really consider scalability. Anything that makes sense at an individual vulnerability level must be scaled to hundreds of vulnerabilities on tens of thousands of devices.

Implementation: Training, Communication, Operating Mechanisms, and Continual Improvement

When it comes to implementation, anything you do must be viewed as part of a system. Cybersecurity is an area that many medical device manufacturers, and people within the manufactures organizations, are not familiar with. As you implement new practices to address risks, it is important to make sure people understand what they are, have clear definitions of the processes, and go through a formal implementation. Like any well-executed system, training, communication, and operating mechanisms are key elements to ensure a smooth transition.

A cybersecurity system is very analogous to a quality system. The approach that can be taken in a quality system can also be translated when looking at security requirements. There has to be a mechanism in place to measuring effectiveness, and continual improvement.

Conclusion

When creating a postmarket surveillance cybersecurity strategy, there are many considerations that must be made. At the Global Postmarket Surveillance of Medical Device conference on January 18-19, 2018 in Arlington, VA leaders from the industry will meet to discuss best practices regarding lifecycle approaches to ensuring product safety and compliance.

View Our Events

Join Our Mailing List

At Veranex, we can help you with concept through to commercialization by enabling:
• Accelerated speed to market
• Controlled development costs
• Development risk mitigation
• Market viability assessment

At every stage, we navigate our clients to realize efficiencies in cost and time with our integrated and comprehensive solutions.

Visit Sponsor Website

Since TrainingPros was founded in 1997, we have been dedicated to helping our clients find the right consultant for their projects. 25 years later, we are proud to have helped hundreds of clients complete their projects and thousands of consultants find great assignments. We continue to focus on helping our clients and consultants as well as our community as a certified women-owned, award-winning staffing company that works exclusively with Learning & Development professionals to match consultants to client projects.

Visit Sponsor Website

TELCOR is the proven leader of health care software solutions for revenue cycle management (RCM) software and services designed specifically for laboratories. TELCOR RCM, our SaaS solution, and TELCOR Revenue Cycle Services, our billing service, are designed to streamline workflow, improve collections, and provide real-time analytics. Our software and service solutions are designed for the unique challenges and requirements of laboratory specialties and the clients they serve. With full access to data, labs have complete visibility of their data and can track key performance indicators. No other vendor works as hard ensuring you get paid for the work you do.

Visit Sponsor Website

At Tipping Point Media, we pride ourselves on developing innovative, creative, and technically advanced virtual training and digital marketing solutions for the life sciences industry.

We push the limits of what's possible using Augmented and Virtual Reality to create revolutionary experiences proven to increase audience engagement and retention rates.

Our dedicated team of educators, medical experts, certified programmers, and digital renaissance innovators are committed to creating high-quality custom creations that bring your company's vision to life.

Visit Sponsor Website

VantagePoint Performance trains Salespeople to be more fluent and comfortable across different situations needing different sales approaches, and we train Sales Managers to be better coaches and team leaders, with more focus and less stress.

We’re different from the average sales training company because:

We don’t believe that one approach, one system, or one methodology is absolutely superior. All have something to offer, and the “best approach” or “best system” depends on the sales situation. This is what our applied, academic research tells us.
Our use of data science, specifically Machine Learning, helps us learn about our clients more meaningfully. We provide insights from each client’s data to help them understand what drives the success of their top-performing Salespeople and Sales Managers.
We are constantly feeding what we learn back into our training products, and we invest a bigger slice of our total energy into this innovation than the average sales training company. Our clients can access always-refreshed intellectual property and content through our training subscriptions.

Visit Sponsor Website

Policy Reporter, acquired by TrialCard in 2019, provides innovative healthcare software solutions to track payer policies in near real-time and enhances market access for the therapies patients need most. The company’s patented software-driven solutions include a suite of billing and reimbursement tools for providers and laboratories, market intelligence tools for payers, and a suite of market access solutions for life science companies. Its clients include some of the world’s largest pharmaceutical and healthcare companies.

Visit Sponsor Website