The following is a guest article by Alex Rybak, Senior Director of Product Management at Revenera
Pacemakers, insulin pumps, CT systems, wearables; these and many more medical devices are increasingly common parts of contemporary healthcare treatments.
The increased digitization of the medical field, created by the growing number of medical internet of things (IoT) devices that are integrated into IT networks, means that the cybersecurity risk is also increasing. Medical providers, supported by device manufacturers, must take comprehensive approaches to ensure the safety of these devices, including the embedded software that’s essential to their functioning.
Efficient IoT Medical Device Cybersecurity is a Must
As reliance on IoT medical devices grows, it represents a shift within the field. The focus on value-based healthcare is intended to improve clinical outcomes while lowering overall costs. Incorporation of technology in the diagnostic and post-procedural phase is aimed to improve value across the continuum of care. Reliance on technology services and insights helps deliver operational efficiencies and better patient care management. And usage of real-time insights can help deliver personalized patient care.
With medical IoT devices now playing a significant role, these devices must be secured as part of the software supply chain. Undocumented open-source code is in virtually all software; unique precautions apply in healthcare in order to prevent against the risks of the vulnerabilities potentially contained in open source software (OSS) and third-party code. For example, HIPAA requires device manufacturers to minimize the risk of shipping products to customers with unpatched vulnerabilities.
Specific needs in this field have often meant that complex devices require compatibility or dependency checks before a software update, that technicians manually verify hardware compatibilities before starting updates, or that there was no visibility or insight into software or firmware versions on devices. Improved, automated updates can now replace time-consuming manual processes. Healthcare providers who use these devices should be aware of these best practices and ensure that suppliers or device manufacturers are performing all necessary updates.
Regulatory Mandates are Growing
The patients who use IoT medical devices count on the devices to help improve their physical health. The providers who offer these IoT medical devices must have confidence that the manufacturers can guarantee the safety of the devices. This requires awareness of the legislative guidelines and regulatory frameworks, along with monitoring and reporting criteria that are growing (nationally and internationally) to ensure this level of safety.
The U.S. Food & Drug Administration’s Medical Device Safety Action Plan issues specific cybersecurity requirements. Goals include the reduction of attack surfaces, controlling access to data and software, and the maintenance of updated software and firmware. The FDA’s cyber regulations are primarily focused on medical devices with cybersecurity risks (networked, containing software, etc.).
Healthcare providers using medical devices should understand and demand comprehensive security procedures from device manufacturers that conform with industry best practices. Per the FDA guidelines, medical device manufacturers must build the capability to patch device security into a product’s design; they must provide appropriate data regarding this capability to the FDA as part of the device’s pre-market submission to demonstrate reasonable assurance cybersecurity procedures and testing, including software bills of materials (SBOMs). Once devices are made available, manufacturers must adhere to post-market requirements. These include the need to monitor, identify, and address cybersecurity vulnerabilities and exploits.
Additionally, publicly traded companies must comply with the U.S. Securities and Exchange Commission’s guidelines that mandate disclosure of material cybersecurity incidents within four business days via an 8-K form, as well as cybersecurity disclosures along with all of the company financials in the annual 10-K form.
Similarly, the European Union Medical Device Regulation (MDR) applies to manufacturers, authorized representatives, importers, or distributors of medical devices in the EU. These parties must identify vulnerabilities and potential exploits in their devices, design, develop, and maintain medical devices with robust cybersecurity features, and provide timely software updates and security patches.
All of the aforementioned regulations require a complete and up-to-date SBOM to serve as a source of truth to the contents of your portfolio of applications. A comprehensive open-source management program, including software composition analysis (SCA) tools, allows you to integrate the construction and management of SBOMs into your existing software management process. This allows organizations to identify compliance issues as early as possible as well as perform impact analysis as newly discovered security vulnerabilities are reported outside the organization.
Security Documentation is Essential
As a general rule, manufacturers are responsible for the security of the software in their products. They must analyze the security of applications systematically and continuously throughout the software lifecycle. This includes after a release of an application, along with ongoing monitoring for new security vulnerabilities.
Security documentation starts at the code level and requires a high degree of automation. Commercial applications today are made up of thousands of components from different sources—proprietary code, code from partners and third-party providers, and freely accessible open-source repositories from various repositories.
By delivering an SBOM to the medical organizations that use the devices, device manufacturers can assure users of the safety of the devices. SBOMs are a kind of inventory list that contains top-level components, sub-components, and dependencies, both direct and transitive, along with the associated licenses and security vulnerabilities. IT and healthcare information management teams, developers, security, and compliance managers can use this information to gain a comprehensive insight into the composition of the software and devices their organization is using—and the potential impact on patients. SBOMs help document the components in the software applications, legal and/or security compliance issues, exposure to specific vulnerabilities, how current the components are, where risks exist, and how to mitigate them.
Today’s medical interventions are leaps and bounds beyond what was imaginable only a few years ago. The availability of diverse types of IoT medical devices has brought great advances to patient care. Making sure those devices—and the patients who use them—are protected against cybersecurity threats is the next essential step in ensuring the health of patients and protecting the liability of the providers who deliver them.
About Alex Rybak
Alex Rybak is a Senior Director of Product Management at Revenera, focusing on their Software Composition Analysis (SCA) solutions. He also heads up Revenera’s Open Source Program Office (OSPO) and is a member of the internal cybersecurity and incident response team.
No comments:
Post a Comment