ISC21: Standards and Regulations Meet Increasingly Complex Cyberthreats

By: Jennifer Peters

October 28, 2021

Categories: AAMI News, Government, Health Technology Management, HTM Professionals, Information Technology, Medical Device Manufacturers, Medical Device Manufacturing

A hook attached to a red envelope represents the threat of a phishing attack.Ransomware delivered through phishing emails are an increasingly common form of cyberattack.

In a year that saw the first direct patient death attributed to a cyberattack, as well as a ransomware attack that led to a widespread gas shortage, cybersecurity issues were front and center at the 2021 AAMI/FDA/BSI International Conference on Medical Device Standards and Regulation (International Standards Conference, or ISC).

The threats are more complex than ever, and they affect not only connected devices, but everyday business operations, said Michelle Jump, global regulatory advisor-medical device cybersecurity for MedSec, who co-presented a session on managing medical devices in an increasingly hostile environment.

The threats are also more numerous. In 2020, the risk was up across the board:

●61% of companies suffered ransomware attacks.
●Email threats increased by 64%.
●79% of companies were hurt by their lack of cyber preparedness.

Part of this growth has been spurred on by MaaS, or Malware as a Service. Essentially, MaaS is the creation of cybercrime as a business model. Through MaaS practices, advanced cyber criminals can develop and rent out botnets to other potential digital wrongdoers, who can then deploy those botnets to attack the system or network of their choosing with little technical know-how required.

As Jump said, “Anyone can be a cybercriminal as long as they’re willing to pay to do so.”

What does that mean for medical device developers and manufacturers? It means that no system is safe. In fact, Jump advises developers to always “assume a hostile network” and work through all the potential dangers in advance. Device manufacturers can no longer rely on the hospitals or other partners to provide a secure network, as the distribution of attack tools means everyone is under attack.

Knowing when you’re under attack has also become more challenging, thanks to MaaS. While previously you could rely on the “red screen of death,” as Jump calls it, today’s attacks won’t always be so obvious. The ability for criminals to target attacks more precisely has given them the ability to increase their stealth, dragging down a network without ever raising any red flags.

Ethernet cables neatly plugged into network hardware.

Preparing for these events is more vital than ever, Jump explained. She called attention to three medical device–specific standards in progress that can help guide developers through the design and clearance processes.

AAMI SW96, Medical Devices—Application of Security Risk Management to Medical Devices

Based on TIR57 concepts, SW96 “really sets the stage for what good security management should look like,” Jump said. “It has the expectation to be the standard to which you can conform.” The standard discusses the differences between security risk management and safety risk management, and guides device manufacturers through the development of risk assessment protocol.

IEC60601-4-5, Devices Medical electrical equipment—Part 4-5: Guidance and interpretation—Safety-related technical security specifications

One of the first cybersecurity standards specific to medical devices, IEC60601-4-5 offers guidance on common security constraints as well as how to best determine the risk and map the requirements needed for each security level.

ISO/IEC 81001-5-1, Health software and health IT systems safety, effectiveness and security—Part 5-1: Security—Activities in the product life cycle

Still under development, ISO/IEC 81001-5-1 marries two familiar standards—IEC 62304 and IEC 62443. By merging a device standard with a broader security standard, ISO/IEC 81001-5-1 creates a medical device-specific standard that can guide safety and cybersecurity across the device’s life cycle.

Jump noted that all three standards are still in development and because they are geared to an international audience, it will take time to finalize each. However, she noted that the development of international standards and the time spent doing so allows the final standards to address not only the of-the-moment cybersecurity concerns, but those that affect legacy devices and software, too.

The FDA, she explained, is also ramping up its vigilance with regard to cybersecurity concerns. Going forward, all devices submitted for FDA clearance or approval will need to be accompanied by a dedicated, stand-alone threat model and an SBOM (software bill of materials). Even if a device was previously submitted to the FDA, any updates will need to include threat models and SBOMs. And if the SBOM shows unsupported components (for example, a patch that is no longer compatible with a Windows operating system), the submission may not be cleared.

That said, Jump believes it’s a best practice to develop an SBOM and threat model, even if it’s not explicitly required. “The threat model and SBOM are actually there to help your product be better,” she explained. “A well-done threat model helps design teams understand their systems better than they would otherwise, often better than [with a traditional risk management plan].”

Michael McNeil, senior vice president and global chief information security officer for McKesson agreed, noting that unlike a risk management plan, a threat model is “more than just the modeling of the actual product, but how that product is being implemented inside a specific environment.”

The FDA is also stepping up measures to ensure consistent and predictable guidance regarding cybersecurity. Through the FDA Focal Point Program, the agency is “evening the playing field” by creating a system that provides consistent engagement and feedback no matter who handles a review or when. Jump said this will “not dilute” or toughen the approval process, but rather make it more predictable and easier to navigate for manufacturers.

Together, these changes to the medical device industry’s approach to cybersecurity have the potential to create a safer, more secure ecosystem for connected devices—and for businesses in general.

Save the date! The 2022 International Standards Conference will be April 27-28 in Arlington, VA.