At some point in everyone’s life they have had to go to the doctor, and whether this has been for something small or something serious the doctor has had to use some kind of device. These devices, whether they are used for diagnosis, analysis or treatment are becoming more and more interconnected to each other and with the wider internet. Whether this is an X-Ray sharing its x-rays with an image analysis program for the doctor, a pacemaker that lets you adjust settings from an app on your phone, or even a health bracelet such as a Fitbit, the fact that medical devices are becoming more and more interconnected means that they are becoming more vulnerable to threats and threat actors in the Cyberspace. Proper Assessment, response, planning, and adaptability are key in trying to protect devices that protect us.
Throughout my research so far I have found that the governing bodies of both the United States and the European Union use a variety of institutions and practices to help address the risks throughout the lifecycle of medical devices. This lifecycle generally is addressed as follows.Planning: This is when the device is being developed and designed to start testing and figure out what the device is needed for etc.Design: This is when the device is starting to get the technical aspects of itself, engineers start to generate the documentation needed and incorporate necessary design elements.Validation: This is the phase where regulatory compliance is completed and all the necessary information and labeling is provided to all stakeholders.Launch: This is where the device is introduced into the market and training and any other actions are done.Post Market: After the device has been sold this is where the cycle of monitoring, updating, and improving the device occurs.
One major institution that seeks to guide this field for legislators, regulators, and manufacturers in the IMDRF or International Medical Device Regulators Forum. They have in recent years put out several guidelines that seek to help address the threats that medical devices can face throughout their lifecycle. These include the “Principles and Practices for Medical Device Cybersecurity “ and “ “Software as a Medical Device”: Possible Framework for Risk Categorization and Corresponding Considerations”. These frameworks address best practices in medical devices such as having a security design mindset throughout the development process, pursuing a risk-based development and security model, having a good and robust Incident response framework, performing extensive vulnerability assessments throughout the lifecycle of the device, and ensuring that the security measures taken are scaled for the risk to the user if the device is compromised.
This summer working for COMCODE the goal is to gain an understanding of the current state of cybersecurity in regards to medical devices, which at first glance might seem simple however cybersecurity is never as simple as first meets the eye and medical devices constitute everything from the x-ray machine to the blood oxygen level reader to your Fitbit. All of these devices have security needs that need to be met and all are potential targets for malicious actors.
So far in my research, the main issue has been how convoluted and far-reaching the medical device field is. The fact that medical devices span so far is a cause of the cornucopia of regulations, practices, and controls that are used on various devices and why classification of devices is very open-ended and at times can be very vague and left to the manufacturer. However as my research has continued the tangle of rules, regulations, and practices has started to unravel. Shortly the solid base of a picture of the field will be ready to build my understanding upon.
STAY UP TO DATE WITH TWITTER, INSTAGRAM, FACEBOOK, AND LINKEDIN SO YOU KNOW WHAT WE’RE UP TO!Written By: Michael Verdi '22 // Computer & Information Systems Security
The post The State Of Medical Security appeared first on The Leahy Center for Digital Forensics & Cybersecurity.