Cyber Healthcare Series: Three imperatives that should define your medical device security strategy

Forty million – this is the stark number of individuals impacted by reported cybersecurity breaches from 697 healthcare entities between January 2021 to July 2022. The harm that arises from many of these cybersecurity breaches is almost always severe to key players within the medical device ecosystem. The potential costs to medical device manufacturers (either directly monetary or reputational) and to their patients aren’t to be taken lightly. There are no winners in the event of a breach.

The growing cybersecurity threats facing medical device manufacturers necessitate a renewed commitment to investing in an enterprise’s product security program. Executives and cybersecurity leaders must deliver a robust security strategy that addresses patient safety and focuses on the following key program imperatives. 

1. Assess the evolving cyber threat landscape unique to your core and next-generation medical devices.

A company’s product development methodology cannot solely rely on prior approved secure design patterns as demand surges for new patient features. Organizations need to consistently assess the design of previous generation devices in terms of attack scenarios that threaten security and operational effectiveness.

The emergence of device connectivity presents heightened risks of network-based attacks and requires cybersecurity leaders to maintain a program focused on regular security assessments (e.g., secure design reviews and penetration testing). As next-generation products enter development, it is crucial to evaluate the implications of incorporating new features, third-party components, and software that may introduce security risks not previously known in prior approved design patterns.

2. Evaluate your security program’s alignment with evolving regulatory standards.

We continue to see an active regulatory landscape as evident from the recently released HHS guidelines on the HIPAA Privacy Rule, the bipartisan federal privacy bill that advanced through congressional subcommittees, and the US FDA’s draft guidance issued in April 2022, the “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The US FDA’s draft guidance focuses on instituting standard program practices to securely design, identify, and respond to an evolving cyber threat landscape. The draft guidance provides clarity on how organizations should prioritize secure design reviews (e.g., threat modeling), robust vulnerability testing (e.g., static code analysis testing and penetration testing), and standardized strategies for deploying device patches.

It is time for organizations to embed security in development, while not compromising on functionality and patient safety. The recommended FDA guidance should direct how executives understand their product security program and reinforce the investments needed to produce market-ready secure medical devices.

3. Invest in the organization’s secure product development practices and institute new program capabilities focused on patient safety.

With the persistence of malicious adversaries, the security threats facing medical device manufacturers require the commitment of executive leadership to institute a strategic product security program. A successful product security strategy and framework will drive consistency in developing secure designs, discovering vulnerabilities, and proactively publishing software updates to remediate new threat vectors. It is the responsibility of cybersecurity leadership to enforce comprehensive security controls that support this framework with an emphasis on authentication, authorization, encryption, detection, and recovery.

The success of the product security program is determined by the organization’s commitment to addressing known capability and talent gaps. An existing security framework and controls should be refreshed and rationalized to incorporate leading security practices, including but not limited to threat modeling and software security testing.

Please follow the AlixPartners Blog for future updates to our Cyber Healthcare Series. 

Additional contributors to this post: Dean Weber, Digital Cyber SVP