Medical Device Cybersecurity: 5 Best Practices for the Patient Safety

Today’s medical equipment becomes firmly embedded with centralized and decentralized networks, connected devices, and digital solutions of all sorts. Latest technological advancements push healthcare and medicine approaches through automation, in-depth workflow organization, and collaborative tools that streamline both performance and results in the field.

At the same time, such solutions rely heavily on the web connection while all enterprise, registry, and other data is more often stored in online cloud depositories for faster, more mobile access.

On the flip side of things, this spawns a myriad of security issues and risks – cybercriminals are fast to infiltrate valuable data sources, which may result in quite a damage both to the healthcare provider’s reputation and the patient’s financial or even life security.

This is why specific medical device cybersecurity standards are in place. Thankfully, we have up-to-date methods for preventing and fending off risky occurrences. But let’s start from the beginning.

Risks of Hacking Medical Devices for Medical Organizations

As FDA claims, all in all, the consequences of a, say, medical storage breach may potentially stretch from simple (yet costly) patient service inconveniences to fatal losses and provider’s business downhill. Above all, poor medical device cybersecurity may result in serious reputation damage for cybersecurity providers of any level.

Namely, when hacked, medical organizations are put at risk in terms of:

1. Workflow consistency. Providers may suffer significant performance downtime due to forced security maintenance procedures, confusion, and conflicts between employees facing the breach hindered productivity, and extra costs (both as a result of downtime and security reinforcement expenses).
2. Medical consequences of varying degrees. These may vary from minor patient care issues to major harmful to health impacts and even fatal outcomes due to data misalignment, belated treatment, and paperwork issues.
3. Reputation damage. Every service provider’s reputation is invaluable, especially in the field such as healthcare and medicine, while leaked or corrupted data accusations may stretch over some of the most cumbersome legal processes and publicly expose the company in the worst light (the data breach will always be your fault, even if it isn’t initially).

Unauthorized Medical Device Access and Other Patient Risks

Strictly corporate risks aside (however grave they can be), patients are the main victims of malicious attacks on medical records, actions that undermine medical device security and such. Patients always make up the innermost echelon to protect at all costs. 

As compared with the above-listed risks for medical organizations, patient risks are more personal and direct:

1. Private information disclosure. The principles of medical secrecy remain fundamental in doctor-patient relationships. Any human being whose personal data is accessed and disclosed in an unauthorized manner doesn’t need a non-disclosure agreement (NDA) to have a right for allegations.
2. Loss of valuable medical history. Returning to the above-mentioned potentially harmful to health outcomes, medical history is the basis of the patient’s treatment that outlines all the major and minor specifics within a personal record that may stretch over the years of medical supervision and treatment. Here, data loss is unacceptable.
3. Failed (or counter-effective, harmful) therapy. An even worse result of a cybercriminal’s tampering with sensitive records through medical device security breaching is patient treatment gone wrong. Diagnostics and therapy are usually very individual, so even minor data misalignment may provoke far-reaching consequences.

5 Medical Device Cybersecurity Best Practices

A number of different specialized regulators and manufacturers may help you find your way around local and global standard compliance routine. Regulations and standards can be very individual and vary based on the locality of operation, type of equipment, the extent of medical coverage, etc. To give you a fuller picture of how it all works and guide you through the main existing regulations, let’s take a look at five major security compliance practices that can help you achieve sturdy data protection and insightful risk management.

IEC 62304 standard compliance

Primarily an international functional safety standard, IEC 62304 governs the way medical devices are designed and maintained in the process of work. More specifically, it outlines design and maintenance guidelines that cover the whole medical equipment software lifecycle and applies to both devices with embedded software and Software as a Medical Device (SaMD) solutions. 

The major philosophy of the standard is about implementing safety practices at the initial stages of device/software development – i.e., taking care of cybersecurity requirements from the get-go.

This is done by classifying and specifying certain processes of implementing equipment safety, with the extents of safety broken down into three classes:

• Class A: no potential damage to health whatsoever;
• Class B: possibility of only minor injury;
• Class C: significant or fatal hazard.

In order to properly classify and calibrate security standards for medical devices, IEC 62304 standard poses some general requirements and breaks down into a number of specific safety-governing processes you’ll need to follow. Let’s take a look at the standard’s contents.

• General requirements
  • Have an efficient management system in place;
  • Run a separate risk management workflow;
  • Employ software safety classification.
• Software development
  • Scope and planning;
  • Requirements gathering and analysis;
  • Architectural design;
  • Implementation and verification of software pieces;
  • Integrations and their testing;
  • Full system testing;
  • Launch and release.
• Software maintenance
  • Maintenance planning;
  • Analysis of issues and changes;
  • Implementation of solutions.
• Risk management
  • Risk analysis and control;
  • Verification of risk control measures;
  • Focused risk management.
• Configuration management
  • Analysis of proper configurations;
  • Change control;
  • Configuration status.
• Problem resolution
  • Issue reporting and investigating;
  • Advising and change control;
  • Categorized issue analysis;
  • Verification of resolutions;
  • Documentation testing.

As such, the above standard comes in as a handy checklist and an algorithm of actions for thorough medical device software implementation that inherently promotes ultimately secure connected devices and software pieces. IEC 62304 points you in the most proper product lifecycle directions across multiple points it makes, focusing on all three device safety classes separately: 

• The software development section outlines the need to use common testing tools for Class A devices and specialized (sometimes even custom built and tailored) testing solutions for Classes B and C.
• The risk management chapter promotes traceability matrix tools that enable you to efficiently trace specific measures for outlined issues and situations.
• As for the configuration management section, IEC 62304 duly cautioned against employing software of unknown providence (SOUP), which includes easily-breachable third-party integrations such as open-source libraries (in all other cases, software must be thoroughly screened for proper security functions and possible threats). On top of that, efficient change control emphasizes the importance of timely updates and change testing.

What it all comes down to is the necessity of a handy management system and expertise sufficient for digging through all the major standards for medical device security in detail.

ISO 14971 standard compliance

This standard is dedicated to risk management involving various medical devices and software solutions on the international level. This includes cybersecurity risks as a separate article. What’s special about this one is that ISO 14971 focuses on common requirements of patient safety more than anything else. Thus, it is there to help grant the total safety of all interactions taking place between the patient/user and the medical device.

The ultimate compliance with this standard is reached through proper documentation – one that thoroughly outlines all patient safety-ensuring procedures and efforts implemented across device lifecycle stages. In terms of medical device cybersecurity practices, ISO 14971 is all about managing risks and mitigating potential disasters – your documentation should reflect exactly the way you anticipate certain hardware failures and mitigate the consequences.

MDCG 2019-16 standard compliance

On top of the above two major standards, there is also a European MDR-accompanying document that outlines modern cybersecurity compliance guidelines concerning operations in the European Union territories. The standard prioritizes cybersecurity for networked medical devices with guidelines breaking down into eight essential principles for medical device security:

• Security management. Preliminary planning and documentation of each and every action related to cybersecurity are necessary.
• Requirements specification. All of those activities must be defined within proper specifications.
• Design security. A device’s design architecture must comply with major guidelines for cybersecurity in medical devices.
• Security implementation. Implementation of all cybersecurity aspects should be supervised and verified along the way.
• Testing verification and validation. Testing procedures must be clearly defined, tied to specific risks, and validated.
• Management security. The way newly-appearing security issues are handled must also be defined.
• Updates control. The main causes and methods of implementing updates.
• Cybersecurity guidelines. Lastly, all the outlines must be packed into comprehensive documentation for users that explain how to use software (in a secure way).

This one is mostly about documenting all the underlying processes and actions. Now, let’s take a look at some specific efforts of achieving medical device cyber security that is subject to such documentation.

HIPAA standard compliance

Issued by the U.S. Department of Health and Human Services, the Health Insurance Portability and Accountability Act governs the protection of sensitive patient data, setting standards for hardware/software, network, and data processing security. HIPAA covers all parties providing or connected in some way to healthcare services, including treatment providers, financial and workflow specialists, subcontractors, and any associated businesses that may have access to the patient data. 

In particular, there are two main regulations described in the HIPAA compliance guidelines:

• HIPAA Privacy Rule – also titled as Standards for Privacy of Individually Identifiable Health Information, it outlines national standards governing the safety of specific sets of health data deemed protected health information or PHI.
• Security Rule – this set of regulations supplements the above and describes national standards governing health data that is being stored or transferred electronically. It sets the Privacy Rule in motion by issuing technical/non-technical guidelines to be implemented by parties managing electronic patient records and pointing out proper technologies that HIPAA-compliant healthcare providers must adopt for safeguarded operation. 

HIPAA compliance focuses on healthcare providers and other parties managing digital healthcare workflow solutions, such as EMR/EHR systems (Electronic Health/Medical Records), CPOE systems (Computerized Physician Order Entry), and other digitized environments that may expose data and put patient privacy to risk.

The physical/technical safeguards outlined in HIPAA policies include the following:

• Authorized healthcare facility access control and limitation;
• Hardware and electronic data access management;
• Electronic data management (transferring, reusing, removing, etc.) restrictions;
• Session time-outs and automated log-off, data encryption/decryption, emergency data access rules;
• Log tracking, hardware/software activity monitoring, and audit reports.

What it all comes down to is the set of practices and technological implementations that enable healthcare providers and connected parties to comply with all the set regulations, maintain the trust of patients and involved specialists, and have in-depth visibility in all the underlying processes and procedures.

Device and personal data protection measures

Traditional cybersecurity methods aren’t going anywhere:

• Reliable passwords. All passwords must be unique, reliable (i.e., hard-to-crack – long wordings with numbers and upper/lower case combinations are always great), and kept secret. This classic tip goes for both system admins and end-users.
• Multi-factor authentication. This practice has become quite common over the years, which doesn’t make it less efficient when it comes to thorough cybersecurity protection, however.
• Access rights for multiple user roles. You may also segment user access rights by introducing levels of access and respective user roles (so that, e.g., admins have a fuller device access scope while employees and users get to operate only frontend features).
• Security updates. Surely, timely updates (both those inherent to device software and security firewall, antivirus, etc. updates) are necessary for keeping device operation and cybersecurity consistent and ultimately up-to-date.

Specific security-boosting features

A list of security-reinforcing features that can be added to the device software or firmware may include yet not end with: 

• Limited access. Only specialists with proper credentials should be able to access the device’s software backend and low-level functions.
• User authentication. Making a software logging procedure multi-faceted is always a must.
• Session time-outs. Restricting access with timely session time-outs and inactivity time-outs significantly complicates hackers’ breach attempts.
• Physical locks. You may equip a device with a physical lock similar to Kensington laptop locks for extra security of access to the device’s hardware or communication port.
• Backup and recovery. Make sure all the data is timely backed up during the cybersecurity management routine and the device’s operation can be easily recovered in unexpected situations.

FDA Medical Device Cybersecurity

FDA regulations intertwine with the above-mentioned IEC and ISO standards, yet the Food and Drug Administration of the USA has a particular focus on regulations directed at medical devices. FDA guidance ties up all the major medical device security standards with thorough guidelines that also subdivide cybersecurity measures into premarket (planning and preliminary maintenance, testing, etc.) and postmarket (lifecycle management, updates, upgrades, monitoring, end of life, etc.). What it all comes down to is a set of well-documented, structured measures of cybersecurity for medical devices.

Our Cybersecurity Projects

The medical device and software engineering team at Langate has implemented a range of medical and healthcare solutions that tackle different corners of the medical device industry, including:

• Medical document management and exchange solution
  We built a custom system for managing and sharing medical documents (e.g., ever-accumulating healthcare records) via a range of automated features that make specialists’ lives easier and boost overall productivity. With a client servicing 200 medical facilities across 20 US states, we created a solution based directly on end-user needs that provides:
  • Distributed file storage for multi-user file sharing based on DFS and Amazon S3;
  • Combined support for AD SSO and non-AD users to enable service over more than 100 facilities;
  • Advanced ACLs for in-depth protection against unauthorized access attempts through user/group roles and permissions;
  • Custom industry-specific fields and attributes for streamlined paperwork management.
• Medical smart glasses startup
  Our team was lucky to contribute to an innovative startup that simplifies data management for medical specialists via smart visualization. Namely, we helped develop EHR/EMR displaying software for specialized glasses that pull up and elaborately display patient information (personal and medical records). The result is a fully HIPAA-compliant MVP solution that is currently underway for full completion.
• Facial recognition for clinical trials
  The team at Langate built a solution based on biometric tech that helps make sure a clinical trial participant isn’t enrolled in multiple trials at the same time. This helps achieve secure remote trials free from costly duplicates and malicious intents. 

Final Thoughts

Achieving sturdy security for medical devices may not be the most hassle-free initiative, but the results are long-lasting and paramount in their importance for both healthcare providers and consumers (patients). Though cybersecurity solutions constantly evolve and expand, you should be up-to-date on all the basic requirements and common regulations. We believe the above-mentioned medical device security best practices should help shine more light on them for you.
If you are looking for a cyber-secure solution for medical devices but don’t wish to bother with all the specifics – contact professionals at Langate. We can help you implement and control system security via a market-defining custom software solution.