Rodney Richardson, software and systems engineer, who has spent the past 20 years designing and developing medical software, outlines ten essential points for medical device developers regarding cybersecurity.
As medical devices become more complex and more connected, cybersecurity is now one of the critical considerations. So, with that in mind, I was pleased to see that the FDA has now issued guidance on cybersecurity for medical devices. As a software and systems engineer, I sit on our dedicated cybersecurity team here at Cambridge Consultants. It’s good to see that data protection is now increasingly on the FDA’s radar, as the issue of patient security is becoming ever more pressing. So here are my top 10 things that every medical device developer needs to know about data protection
1. Cybersecurity is now essential. This may be an obvious statement, but it needs to be said. Connectivity for medical devices offers so many benefits, but it is also essential to understand the risks involved. The possibilities are exciting. Patients will communicate with their clinicians more easily, and clinicians will have better information on which to base their treatment decisions. For product manufacturers, it will be possible to monitor device use, offer updates and interact with both patients and clinicians.
But having confidential patient data flowing back and forth also presents significant risks. Just think back to 2018, when the WannaCry ransomware attack on the NHS cost the taxpayer £92 million after 19,000 patient appointments were maliciously cancelled. Nobody wants that sort of disruption and data breach to happen to them; taking cybersecurity seriously can help manage that risk.
2. The medtech world is struggling to catch up. The fact remains – the most secure way to handle patient data is not to share it electronically. And in the risk-averse world of medical development, that has indeed been the default option. However, this attitude is being challenged on a daily basis with the ever more exciting prospects offered by data sharing.
For example, we are currently working on a neurostimulation device for people with multiple sclerosis or traumatic brain injuries to improve their balance. The results are impressive. The device sits on the tongue and stimulates the brain. Within fourteen weeks, a user can go from being barely able to walk to being able to step confidently over an obstacle. Just think of the benefits data sharing could offer from this device to patient, clinician, and device manufacturer in terms of real-time information, communication, and analysis.
3. Cybersecurity is more than just privacy. Cybersecurity for a medical device has three main aspects: confidentiality, integrity, and authenticity.
- Confidentiality – We want only authorised people or systems to be able to read the data
- Integrity – We want only authorised people or systems to change the data or perform an action
- Authenticity – We want to know that people or systems are who they say they are, and that data comes from genuine sources
To enable these aspects of security we need to implement authentication and authorisation. Authentication means we can prove an entity is genuine. Authorisation controls what the authorised entity can do or access.
4. Designing cybersecurity – Identify. Assess. Protect. I advise clients to consider their security strategy as a three-stage process that needs to be front and centre of their design from the very beginning:
- Identify and record the data (assets) that you need to protect – and identify what you need to protect it from. Plan ahead; cybersecurity shouldn’t be an afterthought and is generally more expensive and less effective if added on towards the end of a project.
- Assess how serious a breach of confidentiality, integrity or authenticity would be, the likelihood of it occurring and what the greatest risks are.
- Protect. Now you can move on to developing ways to ensure your assets are safe. Make time in your development plan to perform security-related activities and create the documents and evidence required to clearly convey your security design to regulators.
5. Think of the future. You need to consider how to prevent, detect and respond to issues once the device is out there. Medical devices can be on the market for decades. For example, choosing algorithms that are still effective once quantum computers are available is something everyone should be considering today. Cybersecurity activities must also be considered in any post-market surveillance, ensuring that the initial level of security can be maintained.
6. Creating and managing trust. We need to be able to trust that information comes from an authentic device, just like we would from a person using their username and password or biometrics. And devices need to be able to trust that any information or commands sent to it come from a trusted place. We can establish a private root of trust within connected systems, with secure verifiable digital signatures allowing information to be trusted.
7. Secure connectivity delivers massive benefits. For clinicians, they can monitor individual patients in real time and combine this data with machine learning to analyse trends. On a population scale, data can be shared to build up pooled knowledge of, for example, how certain treatments affect patients. Connectivity gives the patient many ways to interact with their clinician and fellow patients, getting notifications, advice, and insight into their treatment. Embrace these possibilities, and your device will be the better for it.
The team here worked on the Philips Lifeline medical alert system. Aimed at older adults or the vulnerable and worn on a lanyard, it detects if the wearer falls and automatically calls for support through a two-way speakerphone. This device has been hugely successful. Its cybersecurity needs are high, clearly, but well worth it as it links the user to carers, relatives, and clinicians.
8. Sharing data can be good for device manufacturers, too. Connectivity offers specific benefits to medical device companies, too. A device can feed back information on its performance, providing valuable design insights. Updates will be possible in the same way a smartphone updates its software overnight.
9. Not everything needs to be protected to the same degree. In terms of the practical efforts that go into your cybersecurity planning, remember that not everything needs to be protected. Using a risk-based development process allows you to put the most effort and resources into the highest-risk items.
10. To conclude. While medical device development is traditionally risk averse and often values safety above innovation, this mindset is being challenged by the exciting potential that data sharing offers. But we can have both and make the most of these opportunities by getting the right cybersecurity in place. So be sure to factor it into your design from the outset.