Medical Device Cybersecurity

 The CIA triad represents the three pillars of cybersecurity: confidentiality, integrity, and availability, as follows. 

Confidentiality – preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information 

Integrity – guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity 

Availability – ensuring timely and reliable access to and 12 use of information 

NIST published version 1.1 of the Cybersecurity Framework in April 2018 to provide guidance on protecting and developing resiliency for critical infrastructure and other sectors. The framework core contains five functions, listed below

• Identify – develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities 
• Protect – develop and implement appropriate safeguards to ensure delivery of critical services
• Detect – develop and implement appropriate activities to identify the occurrence of a cybersecurity event 
• Respond – develop and implement appropriate  activities to take action regarding a detected  cybersecurity incident 
• Recover – develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident 

Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding medical device cybersecurity implementations and determines the scope of systems and devices that support the selected business line or process. 

Step 2: Position. Once the scope of the medical device cybersecurity program has been determined for the business line or product, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets.  

Step 3: Create a Current Profile. The organization develops a Current Medical Device Cybersecurity Profile.

Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization’s overall product risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on medical device. It is important that organizations identify emerging risks and use cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events. 

Step 5: Create a Target Profile. The organization creates a Medical Device Cybersecurity Target Profile that focuses on the assessment describing the organization’s desired cybersecurity outcomes. It is important to understand that a Target Profile should be created for each medical device or family of medical devices. 

Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address gaps – reflecting mission drivers, costs and benefits, and risks – to achieve the outcomes in the Target Profile. The organization then determines resources, including funding and workforce, necessary to address the gaps. Using Profiles in this manner encourages the organization to make informed decisions about medical device cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements. 

Step 7: Implement Action Plan. The organization determines which actions to take to address the gaps, if any, identified in the previous step and then adjusts its current cybersecurity practices in order to achieve the Target Profile.