By AAMI
With more and more medical devices connected to the Internet, clinical engineers and biomedical equipment technicians are increasingly tasked with managing cybersecurity throughout the entire life cycle of a device.
According to AAMI Fellow and Medcrypt Chief Cybersecurity Strategist Axel Wirth and Vidya Murthy, chief operating officer at Medcrypt, managing a device’s life cycle includes working with vendors as they fulfill their postmarket obligations and you defend your network. During the 2024 AAMI eXchange in Phoenix, Arizona, Wirth and Murthy presented on how device purchasers and operators can foster cooperation with vendors.
This topic is extremely relevant given the recent increase in cyberattacks on the health care sector. Per Murthy, the “fundamental change” consists of a massive spike in attacks that are motivated by theft. Not only did the health care and public health industry suffer nearly a quarter of all ransomware attacks in 2022, but incidents like the Change Healthcare attack have seriously harmed patients. According to Murthy, “data has shown … that patients have been lost.” Researchers found that between 42 and 67 Medicare patients died due to the fallout of ransomware attacks between 2016 and 2020.
Preparing for the Postmarket Phase
The postmarket phase is heavily regulated by FDA and begins as soon as a device is live in the field. For instance, if a device has software or the capacity to connect to the internet, it needs to meet cybersecurity considerations. Once a device is released, a manufacturer must be sure it cannot be exploited or deprecated. According to Murthy, how security is assessed by HDOs needs to be “part of the core procurement process.”
The ideal premarket security plan will include information on patching, patch management and security posture. To comply with regulator’s expectations, this planning process will need to occur early in the premarket phase. Proper documentation also allows FDA and the device purchaser alike to understand a vendor’s precautions. Ideally, devices will be designed with the postmarket phase in mind – additions like a software bill of materials (SBOM) and ongoing monitoring will be useful. Postmarket maintenance, however, requires a risk-based triage process, and this will require a given device manufacturer to share information as needed.
Role of HDOs
HHS’s Healthcare and Public Health (HPH) goals are also relevant. According to Wirth, “I would assume that the urgency of documents like this will accelerate because of the Change breach.” While the HHS document is voluntary for now, it is Wirth’s expectation that there will be “enforcement” of these priorities in the future.
Given HHS’ priorities and the post-Change Healthcare landscape, Wirth pointed to some important priorities for vendors and healthcare delivery organizations (HDOs) alike. HDOs need to “have a strategic plan that comes top down and is established by business leadership.” Leadership also “need[s] to understand that your cyber risk is their business risk.” IT, clinical engineering and necessary non-clinical departments should be involved, and they should be able to execute basic security fundamentals and have housekeeping measures in place.
Wirth also touted the usefulness of SBOM, which in his words, is meant to mitigate the next WannaCry and ensure that you don’t remain in the “fire drill model” for incident response. Ideally, SBOM should be available through an HDO’s CMMS.
Nevertheless, challenges remain for both manufacturers and HDOs. Manufacturers continue to face supply chain issues related to the source of their software and firmware, as well as interoperability concerns. Hospitals must deal with asset inventory issues including managing legacy devices. “Medical device asset inventories, at least from the cybersecurity perspective, tend to be pretty poor,” Wirth said.
Path to Cybersecurity Success
HDO security practices will ideally feature an evaluation of security features, responsibility agreements, information on patching, provision for security risk management and more.
The Healthcare & Public Health Sector Coordinating Council’s Model Contract Language for Medtech Cybersecurity is an excellent resource. The manufacturer’s disclosure statement for medical device security provides answers to most basic security questions. This resource is used internationally by health care providers, ISOs and security services.
IEC 80001’s Responsibility Agreement is another well-established resource that assigns overall responsibility for medical device cybersecurity, which typically lies with the HDO but can be contracted to a third-party and includes shared aspects.
Cybersecurity risk assessments will vary by organization but should include a risk analysis, risk evaluation, risk controls and an assessment of residual risk. And if the worst happens, and there is an incident at your facility? The HDO and device manufacturer are the primary stakeholders responsible for the outcome. Ultimately, the four most important tenets of medical device cybersecurity are protecting the device itself, protection of the overall ecosystem, management of medical devices and proper incident response.
For more information, visit aami.org.
