FDA Weighs in on Medical Device Safety, But Responsibility Lies with Manufacturers

^{The FDA is doubling down on medical device security, but the onus falls on manufacturers.}

The U.S. Food and Drug Administration’s recently released guidelines on medical device security serve as a framework for healthcare providers to plan for and remediate cybersecurity threats and incidents. The FDA’s guidance is largely focused on how to respond to disruptive attacks once they occur. However, it’s equally critical to consider preventive measures that require pre-emptive action during the design phase of devices — with responsibility placed in the hands of the manufacturer.

>> READ: FDA Ramps Up Its Medical Device Cybersecurity Efforts

Whether it’s a 12-year-old hacker or a nation state, the threat of device takeover is real. Devices that have historically operated by accessing a closed Ethernet are now connected over a hospital network — always live and always transmitting data. These open networks allow manufacturers to make remote updates to connected IoT devices around the world, but with this on-demand connectivity come gaps in security. As technology avails and evolves, many electronic medical devices will collect important patient data and transmit that data over an open network. For device manufacturers, this means that it’s no longer simply about building great hardware ­— today’s devices are defined by their software.

That’s why building a strong foundation for cybersecurity at the time of manufacture is absolutely critical. The design phase of the manufacturing process is the best time to incorporate cryptography, binding digital identity, so it’s inherent in the device. But it’s not just the manufacturer that’s on the hook — the healthcare provider or hospital must also put an identity on the device that aligns with the original identity from the device manufacturer. This is where getting the keystore right is imperative. When the firmware is designed correctly, it becomes extensible to all those in the device ecosystem, so the hospital can communicate with the device, the patient’s caregiver can communicate with the device and so on.

This technology has been around for a while, but it’s relatively new to the medical device industry because of its more recent transition to open networks. What’s brilliant is that we’re taking proven technology and applying cryptographic algorithms to be useable in an industry that has no time for testing. Another critical step in the process is for the firmware to be code signed. Basic code signing verifies the authenticity of the manufacturer via digital signature. If this step isn’t taken, the bad guys can get their hands on good devices and do bad things.

Fast-paced innovation plays a key role in the healthcare industry — and medical device manufacturers are always looking to improve the patient experience. Wearable devices such as watches can take personal EKGs, creating reports that get sent directly to a doctor. Next-gen model pacemakers are talking to smartphones and sharing biometric data with doctors and hospitals. For example, a patient with an installed pacemaker is at home, not feeling great. The device transmits data to the doctor, suggesting that the pacemaker needs tweaking. The doctor interprets the data and makes updates to the device’s settings on the fly. The technology optimizes both the well-being of the patient and their overall healthcare experience. When the patient wakes up in the morning, they feel better. This type of innovation is leading the way for healthier patient outcomes.

Healthcare innovation can clearly make the world a better place. But as with all technology, there are risks. Device manufacturers need to secure communication channels so that threats are kept at bay. Authenticating, encrypting and signing every device during design helps medical device manufacturers stay ahead of potential chaos.

Most people believe the greatest security threat from their pacemakers and insulin pumps is data hacking. However, the real risk is more in line with a disruptive attack, one that actually changes the way the device performs or threatens the health of its user. Threats such as these must be eradicated because patient safety relies on it.

As the FDA states, with planning and practice, healthcare organizations can be well-positioned to manage medical device cybersecurity. Cryptography during design can eliminate threats from becoming reality when devices are in use and lives are at stake.

Kevin von Keyserling is president and chief executive officer at Certified Security Solutions, Inc. (CSS). In this role, Kevin is responsible for company operations and oversees CSS’ organic and acquisition growth strategy. As a member of the CSS leadership team, Kevin is the chief steward of company culture. Building on the company’s culture of success, Kevin authored the “Ten Principles of Leadership.” These principles shape the people concepts and values that prevail and define what it’s like to work at CSS. Of the 10 principles, Kevin’s favorite is creating a learning environment. This principle helps individuals achieve their full potential.

Navigate the digital transformation with confidence. Register for our newsletter.

Related

Securing the Forgotten Servers: Why Printers Are The Biggest Security Risk Today

Yes, Healthcare’s Data Breach Problem Really Is That Bad

What to Do Before and After a Data Breach