Ensure Cyber Security For Biomedical Device

According to KPMG (Klynveld Peat Marwick Goerdeler) advisory on medical device, annual sales of biomedical devices will reach eight hundred billion by 2030. This huge demand of growth is primarily driven by the connectivity of medical devices. These projections reflect increasing demand for innovative new devices (like wearables) and services (like health data). The increase of aging population in China and India unlocks the immense potential in emerging markets.

Managing cyber security programmes in biomedical devices require unique approach to people, processes, and technologies, which are vulnerable to the cyber security and safety. The connected nature of medical devices is prone to cyber risks. Health Deliver Organization (HDO) must adhere to strict standards to ensure patient privacy and safety. Unlike in Europe, cyber security and privacy regulation in the US is fragmented across regulatory agencies and state and federal jurisdiction. Some of them are PCI-DSS, HIPAA, FERPA, etc. The FDA (Food and Drug Administration) is the regulatory body for biomedical devices in the United States. FDA has published multiple cyber security guidelines. 

Safety 

Cyber security programmes are managed quite differently but the technology elements of cyber security have common denominators across the industries, but processes and the talent vary. Cyber security programmes in biomedical devices are often driven by safety and privacy of the patients. The users of the devices are clinical professionals, researchers, biomedical engineers, patients, and health professionals. Confidentiality, integrity, availability and safety play a crucial role in biomedical devices. Compromise on any of the quad can be detrimental for patient safety, privacy, and health records. 

Devices need to strike a delicate balance among the amount of data generated, captured, and transmitted. The data drives innovation, personalised clinical care and therapy. Data is also vulnerable to hackers as the attack vectors and digital surfaces increases dramatically with rapid increase in connectivity and digitisation of clinical processes. Artificial intelligence and machine learning in biomedical devices requires a large set of medical data. Biomedical devices provide unique opportunities to decentralise machine learning and artificial intelligence in the patient level, HDO level and geographic cohort. Biomedical devices are becoming increasingly sophisticated and are collecting more data than ever before. 

The FDA's cyber security guidelines focus on pre-market and post-market cyber security. It includes Quality System Regulations (QSR), Secure Product Development Framework (SPDF), SBOM (Software Bill of Materials), vulnerability management, disclosure requirements, and design control requirements. Continuous monitoring of cyber threats and cyber security as a TPLC (Total Product Life Cycle) and cyber risk management is the core for cyber security and safety. The FDA guidelines recommend AAMI TIR57/07, SW86, NIST 800-30, NIST CSF and Medical Device and Health IT Joint Security Plan (JSP), ISO14971 for safety risks and IEC 81001-5-1. Safety and security risks are reduced to an acceptable level and continuously monitored when new vulnerabilities are identified and mitigated during product life cycle. 

The severity of the safety and cyber issues is determined by the type of device, whether it is Class II or Class III. Cyber security risks in healthcare are primarily shared between the medical device manufacturers and HDO. It is difficult to manage the cyber security programmes in a shared responsibility model but due to the interconnected nature of software systems, rules of engagement and processes should be developed between different stakeholders including HDO, cloud service providers and manufacturers. User manuals, labels, communication plans, complaint management and service level agreements are tools for shared responsibility of the security. 

The medical device product life cycle is three times longer than other types of software and devices. There is a substantial security debt in medical devices because risk-averse nature of the industry but patchability and security debt increases exponentially with the time. The proper remediation plan needs to be developed if there is major upgrade or recall. Biomedical devices are moving to the next generation, where they will be constantly connected to the internet and provide data to HMOs, doctors, patients, and other healthcare stakeholders on their mobile devices. Real-time monitoring systems of biomedical devices and security operations teams are required to monitor and mitigate cyber threats.

Data security

Cyber security risk mitigation approaches such as fail fast, DevSecOps, and walk-crawl-run may not be well-suited for all products in biomedical, space, aerospace industries, and military where safety is critical and development processes are owned by multifunctional teams with clear separation of duties. These approaches may introduce new risks or exacerbate existing ones. For example, fail fast could lead to the release of unsafe products, DevSecOps could introduce security vulnerabilities that trigger safety issues and walk-crawl-run could lead to delays in the development of critical systems. Instead, biomedical industries and HDO need to adopt more tailored cyber security risk mitigation approaches that consider safety and security requirements of the patient.

Nepal should enact a new policy for the data security of biomedical devices and healthcare data. Nurses, doctors, and HDOs should be trained on clinical cyber security and the privacy of patient. Law enforcement agencies should develop cyber operations expertise so that they can provide emergency cyber operations at hospitals and save patients life. Cyber security is a national security. Nepal has failed to uphold the quality and safety in the transportation sector, result of which is loss of human life due to poor safety controls in automobiles. In Nepal, biomedical device industry can help the transportation industry to build safe and resilient systems that safe human life.

(Dhungel is a cyber-security practitioner based in USA.  ravi@esrtech.io)