Webpackaging logo
The Latest Technology
  • Close

Cybersecurity in Pharma Medical Devices

New FDA call to action

Cybersecurity in
Pharma Medical
Devices

Few organizations are as influential as the American Food and Drug Administraion (FDA) with regard to their impact on business. An agency of the USA's Department of Health and Human Services, the FDA ensures public safety by regulating anything related to prescription and OTC drugs, vaccines, medical devices, cosmetics, tobacco, EREDs (electromagnetic radiation emitting devices), products for animal consumption or care and, of course, the packaging related to these products. Companies that wish to do business with the USA must therefore ensure their products are FDA-compliant, and sometimes that's not as easy as it sounds.

A good example is the fairly recent initiative by the FDA to educate companies that produce medical devices of the risks associated with cybersecurity. In October 2015, the FDA finalized its list of recommendations (not regulations) to assist companies with improving the protection of consumer health information. The final paper, entitled the "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" is a comprehensive guide that focuses on incorporating cybersecurity risk management into the design and development paths of creating a medical device. The FDA also recommends medical device manufacturers plan updates and software patches to any software that may be required for their particular products and by extension their packaging.

Many packaging suppliers working in the pharma space have come to the conclusion that producing ancillary medical devices to accompany their packaging is a viable source of revenue, or at least sweetens the deal when it comes time to selling their products. In fact, some packaging firms that began with simple medical devices find the medical device market lucrative, and have marketed solutions that are more complex, according to general classifications. Many packaging firms have moved into the Class I space but some hardy adventurers are also forging ahead into the more technical territory of Class II items.

Class I:

Hand held medical tools, tongue depressors, bandages, applicators, etc.

Class II:

Surgical needles, x-ray machines, powered wheelchairs, etc.

Class III:

Heart valves, cerebral stimulators, pacemakers, etc.

With regard to cybersecurity, the focus seems to be on Class II and III devices. Most bandages won't include electronics that require security measures but anything that detects and reports certainly will.

The goal is to reduce vulnerabilities in the software associated with medical devices or related to their distribution. Realistically, any medical device that relies on computer processing in some way can succumb to a cybernetic attack. The FDA has not focused on what has happened in the past because to date there has not been a full scale attack on medical devices, or at least one about which the public has been informed.

The fact remains, however, that there are many software vulnerabilities that can and most likely will be exploited, leading to issues like malware infections on medical devices that are connected to phones or computers, unpatched software that can be accessed with limited difficulty, or the unauthorized access of unsecured passwords leading to patient data, etc.

By having a clear plan that addresses software vulnerability and incorporating it into the development process, companies producing medical devices and their associated packaging can ensure greater security. Working with other federal agencies and producers of medical devices to identify and share vulnerabilities, the FDA's goal in the long term is clearly to stop a digital epidemic before it happens.

The Suggested Approach

Identify

x

Identify

Defining essential clinical performance :
Manufacturers should define the essential clinical performance of their device, the resulting severity outcomes if compromised, and the risk acceptance criteria.

Identification of cybersecurity signals :
Manufacturers are encouraged to actively identify cybersecurity signals that might affect their product, and engage with the sources that report them.

Protect

x

Protect/Detect

Vulnerability characterization and assessment:
Manufacturers should characterize and assess identified vulnerabilities and should consider factors such as remote exploitability, attack complexity, threat privileges, actions required by the user, exploit code maturity, and report confidence.

Risk analysis and threat modeling:
Threat modeling identifies objectives and vulnerabilities, and then defines countermeasures to prevent, or mitigate the effects of, threats to the system.

Analysis of threat sources:
A threat source is defined as the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Characterization of threat sources will be advantageous to manufacturers in accessing risks not covered by traditional failure.

Incorporation of threat detection capabilities:
Medical devices may not be capable of detecting threat activity and may be reliant on network monitoring. Manufacturers should consider the incorporation of design features that establish or enhance the ability of the device to detect and produce forensically sound postmarket evidence capture in the event of an attack.

Impact assessment on all devices:
A signal may identify a vulnerability in one device, and that same vulnerability may impact other devices including those in development, or those not yet cleared, approved or marketed.

Respond

x

Protect/Respond/Recover

Compensating controls assessment (detect/respond):
Device based features should be implemented as a primary mechanism to mitigate the impact of a vulnerability to essential clinical performance.

Risk mitigation of essential clinical performance:
Once the preceding information has been assessed and characterized, manufacturers should determine if the risk levels presented by the vulnerability to the essential clinical performance are adequately controlled by existing device features.

6
  • Multimedia
  • English
  • Modified 07 Apr 2016
  • Hits 1293