4 Steps to Deploy a Cybersecurity Postmarket Strategy
While the development of innovative technologies and connected devices continues to flourish, public concern surrounding cybersecurity has increased significantly in recent years. With various news stories breaking about hackers and system failures due to cyber security breaches, the recognition of a potential cybersecurity risks in medical devices is at an all-time high. In many cases, devices that are currently being used across the country, and around the world, were designed before cybersecurity was a critical area of concern. Now these devices are operating in an environment where there are risks present that they were not designed to meet.
The medical device industry has to adapt older devices with a longer shelf-life to ensure they are compliant against emerging threats. I spoke with Steven Abrahamson, Director of Product Security Engineering and Privacy at GE Healthcare, about some of the mechanisms and steps he uses to identify risks, and how to appropriately deal with them. “We have to make sure we are looking at it rationally, and recognizing what the risks really are” explained Steven Abrahamson, a speaker at last year’s Global Postmarket Surveillance of Medical Devices Conference. “There are various things we can do to monitor what the threat level and activity levels are in the field, so we don’t expend resources addressing risks that may not be significant.”
The following four steps, defined by Steven Abrahamson, outline how to most efficiently deploy a cybersecurity postmarket strategy.
Internal Inputs: Engage Stakeholders
It’s very important to make sure you aren’t viewing cybersecurity purely as an engineering issue. Ideally, start with a central product cybersecurity team that can work closely with the people in engineering, regulatory, legal, supply chain, service, sales, product management, and others to plan a comprehensive strategy addressing emerging cybersecurity concerns.
When handling specific vulnerabilities, there is always a lot of information available. Many different vulnerabilities can be identified internally, and each has an effect on a different type of product or device. It is important to assess which vulnerabilities pertain to your specific devices, as there are many that don’t have a significant impact on medical devices, given how they are used and the environment that they are used in.
There should be a mechanism in place to translate the external information into data that can be used internally to assess the risk in devices. As well as the full engagement of everyone involved in managing risks in your product portfolio across the business.
Define an Executable Process: Vulnerability Inputs, Screening, and Risk Assessment
“If a process is not executable it doesn’t do anyone any good” explained Abrahamson. There are many identifiable vulnerabilities out there, so it is important to translate them into a list that is actionable by the product engineering team. For example, if you have a list of a thousand vulnerabilities that may affect the device, a manufacturer is not going to know what to do with that. You have to put in place a mechanism to identify which vulnerabilities are potentially impactful. From there you can work with the engineering team to create a process that determines what the risk level is, and where you have to take action.
While it is important make an actionable plan with any manufacturer, when dealing with a larger manufacturer, that might have hundreds of products and tens of thousands of devices, you have to really consider scalability. Anything that makes sense at an individual vulnerability level must be scaled to hundreds of vulnerabilities on tens of thousands of devices.
Implementation: Training, Communication, Operating Mechanisms, and Continual Improvement
When it comes to implementation, anything you do must be viewed as part of a system. Cybersecurity is an area that many medical device manufacturers, and people within the manufactures organizations, are not familiar with. As you implement new practices to address risks, it is important to make sure people understand what they are, have clear definitions of the processes, and go through a formal implementation. Like any well-executed system, training, communication, and operating mechanisms are key elements to ensure a smooth transition.
A cybersecurity system is very analogous to a quality system. The approach that can be taken in a quality system can also be translated when looking at security requirements. There has to be a mechanism in place to measuring effectiveness, and continual improvement.
When creating a postmarket surveillance cybersecurity strategy, there are many considerations that must be made. At the Global Postmarket Surveillance of Medical Device conference on January 18-19, 2018 in Arlington, VA leaders from the industry will meet to discuss best practices regarding lifecycle approaches to ensuring product safety and compliance.