Last month, the FDA issued new guidance to medical device manufacturers to submit a cybersecurity plan as part of their application to bring a new device to market. This plan will need to lay out, in detail, how they intend to monitor, identify, and address any potential cybersecurity issues.
Manufacturers must also be more transparent about the software that runs these devices. A software "bill of materials" (SBOM) must be submitted as part of the application, listing every piece of software utilized by the device, including those developed in-house and those from third parties or open-sourced.
In short, the liability for breaches is shifting toward device manufacturers -- giving the entire healthcare industry and the patients it serves a glimmer of hope for the future as the cost of addressing security breaches now exceeds $10 million per incident. For the 12th consecutive year, the healthcare sector suffered higher data breach costs than any other industry examined in this report.
The new guidance from the FDA is beneficial to consumers. Medical devices are critical in patient care, from diagnostics to treatment and monitoring. If they are compromised by a security breach, it can pose severe risks to patient safety. Hackers gaining unauthorized access to a medical device could manipulate its settings (see last year's FDA warning regarding Medtronic MiniMed 600 insulin pumps), leading to incorrect dosages or treatments – or even death. An Alabama medical center was the target of a 2019 cyberattack that allegedly impacted the regular operation of a fetal heartbeat monitor and a nurses' station – which unfortunately ended in tragedy.
A patient's safety is affected by medical device software breaches, as is their private personal information. Medical devices often store and transmit sensitive data, including personal health information (PHI) and electronic health records (EHRs). Medical devices were involved in 88% of data breaches in hospitals, according to the Ponemon Institute. Breaches in medical device security can result in the theft, tampering, or unauthorized access of this data, leading to privacy violations, identity theft, and other security concerns.
Meeting the Challenge
As medical device manufacturers begin to prepare for the new guidelines, their software development teams must also modernize. The mandate requires extending secure processes back to product planning – a forced shift to the left for many. Software leaders in the medical device industry are gearing up their software development teams to meet the challenge with several areas of renewed focus, such as:
- Compliance and Regulatory Knowledge: Understanding the new FDA guidance and compliance requirements will be critical for development teams. Just as important - keeping up-to-date with future changes to these guidelines and best practices will be crucial to ensure compliance for years to come.
- Risk Management: Software developers with experience in risk assessment methodologies, such as Hazard Analysis and Risk Assessment (HARA), Failure Modes and Effects Analysis (FMEA), and Fault Tree Analysis (FTA) help them to identify all the possible causes for software failure, and take actions to minimize the probability of them.
- Threat Intelligence: The FDA considers threat assessment and modeling fundamental in medical device premarket submissions. Software developers with skills in these areas are already in high demand. It is essential for security teams to continue building these skills as threats constantly evolve.
- Encryption and Authentication: According to Capterra, 40% of healthcare organizations have 51-70% of their medical devices connected to the internet. Software developers with skills in encryption algorithms, cryptographic protocols, and authentication mechanisms will be heavily relied upon to implement secure communication and data handling within medical devices.
- Secure Coding Practices: Last but certainly not least, medical device software organizations should adopt secure coding guidelines, follow secure software development lifecycle (SDLC) practices, and utilize tools such as static code analysis, dynamic code analysis, and code review techniques to identify and fix potential security vulnerabilities. Software developers with deep knowledge and experience in the areas will become increasingly valuable over time.
About Jason Shepard, Product Marketing Manager
Jason Shepard is a Product Marketing Manager at Security Innovation. A Seattle sports enthusiast, he considers the Mariners, Seahawks and University of Washington Huskies as his primary pastimes. He also drives Uber for fun on the weekends.