Improving medical device cybersecurity

How well are you prepared?

Cyberattacks are a complex, constantly evolving global threat. Attacks can disrupt the function and compromise the data
security of any medical device that is or can be connected to another electronic device and/or network. In addition, vulnerable
medical devices may be harnessed as part of a botnet* to launch attacks on other targets; as a back channel to breach the
security of hospital or clinic networks; to extract ransoms; to harm a patient or user of the device and to inflict other financial
or reputational damages onto device manufacturers, clinics and patients.

Because of the broad, pervasive, and rapidly changing Identifying Cyber Risks
nature of cyber threats, regulators and standards
Do you have a structured system in place for:
organisations recommend that device manufacturers
adopt a proactive, structured approach to cybersecurity. 1. Identifying potential cyber threats and vulnerabilities
The approach should be applied organisation wide and in your device production and development
incorporate processes to identify, protect against, detect, environments, and within devices themselves
respond to, and recover from cyberattacks.1, 2, 3 2. How they might affect the proper functioning
of the device and its end users?
The following checklist will help assess your organisation’s
ability to effectively address medical device cyber threats. Do you have a structured process for assessing the
likelihood that specific threats will occur and the risks
they may present? Specifically, are you employing the
Active Executive Sponsorship ‘Common Vulnerability Scoring System’, an open industry
Have you assigned responsibility for cybersecurity standard that rates the severity of security vulnerabilities
risk management to a senior manager? in software?

Does this person have active and visible support from Do you have a structured process in place for prioritising
executive management at each stage of planning, risk management activities, and have you developed
deploying, and monitoring cybersecurity efforts? criteria for assessing when risks are adequately
controlled?
Do you have a formal cybersecurity risk management
programme in place? Do you update your risk identification, assessment,
and prioritisation at least annually or as dictated by
emerging circumstances?
Do you work with other device manufacturers, IT
professionals, and internet service providers to help
identify emerging cyber threats?
Are you participating in the Information Technology-
Information Sharing and Analysis Center (IT-ISAC)
or other ISAC group related to cybersecurity?

ICONplc.com
Protecting Against Cyber Risks Detecting Cyberattacks
Do you have a structured process for determining Do you use intruder detection systems to identify
how to incorporate the best method(s) for accessing any anomalous activity in your devices and on your
a device such as ID cards, smart cards, individualised network? Do you routinely audit network and/or device
passwords, tokens and biometrics to authenticate logs for anomalous or malicious activity or penetration
users, and two-factor authentication? Is access attempts?
restricted by user and device roles, such as patients, Do you program networked devices to deliver a
clinicians, technicians, and administrators? ‘heartbeat’ signal and investigate whether that signal
Do you employ proven secure design and has been missed, off schedule, or disrupted?
communication protocols whenever possible? Do you document access to devices and networks
Does your software employ any hardwired passwords? by all users?
Does your software apply strong password protection Do you regularly scan devices and networks for the
as appropriate? presence of known viruses, worms, or other threats?
Do you restrict software and firmware updates Do you inform users about signs of cyberattacks and
to authenticated code using methods such as ask them to report these attacks to you?
signature verification? Do you regularly look for new ways to automatically
Do you use physical barriers such as locks detect when a device or network has been
as appropriate? compromised based upon the evolving cyberworld?
Do you have standard operating procedures in place
Responding to Cyberattacks
for protecting cybersecurity, and do you train employees
and users on these procedures? Do you have standard procedures in place for
Do you secure data transfer to and from devices immediately responding to cyberattacks, including
using methods such as encryption? analysing the threat and developing mitigation strategies,
such as constructing software patches for newly
Do you periodically reassess your software for recently discovered vulnerabilities?
discovered vulnerabilities?
Do you have a plan for prompt communication with
Do you use and regularly update anti-virus software? users about cyberattacks and steps they should take
Do you strive to keep operating systems associated to address new threats?
with devices/systems updated to incorporate the latest Do you have continuous performance improvement
security fixes? processes in place for incorporating new learning
Are your software developers provided periodic training about cyber threats into future designs?
on the latest secure coding techniques?
Recovering From Cyberattacks
Do you periodically check for upgrades or patches for
any open source or third-party software components Do you routinely create backups of device and
incorporated into a device that address bugs or network data in a secure location so that device and
security flaws? network functions can be restored without functional
interruptions after an attack?
Do you have cybersecurity experts review software
designs prior to implementation? Do you systematically improve your cybersecurity
defence capabilities in response to cyberattacks?
Do you construct threat models and subject your
products to independent assessments and penetration Next Steps
tests by information security specialists? Each of the capabilities mentioned above can improve
Do you require contractors and development partners cybersecurity and meet new FDA requirements for managing
to apply suitable cybersecurity precautions and certify cybersecurity risk. For more information about these and
that their products comply with reasonable security other steps you can take to address cybersecurity risks,
standards? contact ICON’s medical device and diagnostics experts
at ICONplc.com/devices.
* A network of Internet-connected private computers, servers, and mobile
devices, which is infected with malicious software and controlled as a
group without an owner’s knowledge or consent.

References
1. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. FDA, October 2, 2014.
2. Postmarket Management of Cybersecurity in Medical Devices. FDA, Dec. 28, 2016.
3.Framework for Improving Critical Infrastructure Cybersecurity, draft version 1.1. National Institute for Standards
and Technology, January 10, 2017.

© 2017 ICON plc. All rights reserved. ICONplc.com