Our Cybersecurity Expert, Keith Handler, provides insight into the challenges that medical device developers and manufacturers face today. Cybersecurity regulations and preventative measures are the focus in the 3-part series with Enigma Forensics.
Medical Device Security
As an ISO 13485 certified medical device development company, Sterling Medical Devices always makes safety a top priority.
“Sterling Medical Devices is a 13485 certified product development firm. We help various companies design and develop electro-mechanical medical devices. Pretty much from, anything from concept to submission to the FDA.”
To ensure the proper functioning of the devices and the safety of patients and anyone who may interact with the devices, Sterling rigorously follows specific guidelines. Securing Patient Help Information (PHI) confidentiality of patients in systems becomes a significant challenge when the hospital system integrates medical information.
“We may have control over the confidentiality of the information and of the commands that are sent and received within a device, but as soon as we connect to an external system, we lose control of that data.”
At Sterling, the company works hard to address these challenges and to provide guidance and assistance throughout the medical device development process.In line with the company’s practice of prioritizing safety, Sterling Medical Devices considers different encryption options when evaluating medical devices. Where embedded medical devices are concerned, certain complexities often need addressing. Embedded medical devices usually ship as low powered devices with limited storage space and limited capabilities. These limitations reduce the options available with regards to encryption. If possible, despite low storage and capabilities, Sterling uses hardware encryption chips to secure the sensitive information existing on these medical devices. If not, they rely on embedded libraries with FIPS-2 certifications.
FDA Cyber Regulations
At a glance, one wouldn’t expect the FDA to have cybersecurity concerns. However, since most medical devices these days have some form of internet connectivity, one can easily understand why the FDA is scratching its head over cybersecurity.
Wanting to keep up with these threats, the FDA has issued guidance in an attempt to categorize cybersecurity risks in medical devices. They have also outlined basic standards to follow in designing, testing, and documenting processes for developing devices. That guidance is currently how Sterling Medical Devices implements most of its analysis processes and controls.
The FDA has chosen to recognize specific certifications, such as UL 2100-1-2, a certification for network-connected systems. Additionally, medical devices can follow AAMI TIR57 guidelines to manage potential risks. TIR57 is a guideline that helps medical device manufacturers and developers create a cybersecurity risk management process for the devices. “AAMI TIR57 describes how to marry up the processes of medical safety risk analysis and security analysis.” The primary goal of AAMI TIR57 is to categorize the protected assets within the system, known vulnerabilities, and create a list of attack vectors. With this information, one should successfully be able to identify the real risks and create a plan to protect against them, starting from the ground up.
Keeping medical devices safe, as mentioned earlier, is the primary concern of medical device manufacturers and developers. It’s important to know what measures to take to ensure device safety.
“Hospital healthcare providers need to be making sure that they are up-to-date with the manufacture of all of their devices, that they are keeping apprised of any kind of recalls or anything like that. Manufacturers, the people that we typically deal with, product developers, their responsibility is to maintain a bill-of-materials, a cyber bill-of-materials; their libraries, their encryption circuits, make sure that they’re tracking the versions and things like that so that when a company has a vulnerability exposed, they can become aware and make updates and push them, software especially, as fast as possible.”
The Federal Information Processing Standard (FIPS), specifically FIPS 140-2, is the specific certification for encryption libraries, which proves them to be usable and certified for federal and medical systems. These, along with hardware encryption chips, are reliable and performant. Here at Sterling, we use federally certified ones as a way to ensure we are up to date with current standards.
Another safety measure to take is to ensure that devices know the firmware is authentic. Through “digital signing, signature verification encrypting of that firmware package, devices can validate the authenticity of the firmware. That way we have a verification process in place to ensure that what we’ve got coming down is good.”
As evolving technology shapes the medical device industry, more devices have internet connectivity. Connectivity creates an advantage of remotely receiving security updates but a disadvantage of new security vulnerabilities that may be unforeseen. The functionality of devices and the safety of the patients is dependent upon keeping up with regulations and following guidelines.
To view the interviews click on the links below: