In medical devices, risk management is expected to be an ongoing activity, which is considered, controlled and documented across all phases in the life of a product, from the initial conception to development and testing, market authorization, post-market use, and through to end-of-life and retirement.
When cybersecurity risk is not effectively managed throughout the life of the device, it can lead to issues including a medical device failing to deliver its therapeutic benefit, a breach in the confidentiality, integrity, and availability of medical device data, or malicious unauthorized access to the medical device and the network it operates on.
We can assist in establishing enterprise-wide processes to manage medical device cybersecurity, creating design features that enable postmarket management of security risk, and implementing processes to manage device security patching.
The CIA triad represents the three pillars of cybersecurity: confidentiality, integrity, and availability, as follows.
Confidentiality – preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Integrity – guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity
Availability – ensuring timely and reliable access to and use of information
NIST published version 1.1 of the Cybersecurity Framework in April 2018 to provide guidance on protecting and developing resiliency for critical infrastructure and other sectors. The framework core contains five functions, listed below
Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding medical device cybersecurity implementations and determines the scope of systems and devices that support the selected business line or process.
Step 2: Position. Once the scope of the medical device cybersecurity program has been determined for the business line or product, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets.
Step 3: Create a Current Profile. The organization develops a Current Medical Device Cybersecurity Profile.
Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization’s overall product risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on medical device. It is important that organizations identify emerging risks and use cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events.
Step 5: Create a Target Profile. The organization creates a Medical Device Cybersecurity Target Profile that focuses on the assessment describing the organization’s desired cybersecurity outcomes. It is important to understand that a Target Profile should be created for each medical device or family of medical devices.
Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address gaps – reflecting mission drivers, costs and benefits, and risks – to achieve the outcomes in the Target Profile. The organization then determines resources, including funding and workforce, necessary to address the gaps. Using Profiles in this manner encourages the organization to make informed decisions about medical device cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements.
Step 7: Implement Action Plan. The organization determines which actions to take to address the gaps, if any, identified in the previous step and then adjusts its current cybersecurity practices in order to achieve the Target Profile.
We have the regulatory savvy, QMS experience, and technical expertise to help mature and emerging technology companies meet their challenges and take full advantage of their business opportunities.