For healthcare product and medical device technology developers, ensuring effective support for cybersecurity compliance is becoming a key step in securing regulatory approval and market access.

Cyber-attacks have shifted in status from being news headlines to becoming a mundane part of day-to-day operations for many businesses, including hospitals. However, for many product development teams designing products with security in mind is a new and daunting challenge, and when coupled with the challenges of how the approaches may be viewed by regulators, the concerns grow even more.

In 1997, the US FDA formally began to examine the role of software in the safety and effectiveness of medical devices. In 2008, significant investments began to take place, not just in the US, but around the world, to create new technologies that would reduce healthcare costs and make healthcare more readily available to the growing population, where the proportion of elderly people with chronic health conditions was outpacing the capacity for healthcare delivery. These technologies were mostly based on software.

Beginnings of a healthcare cyber regulatory approach

In 2013, FDA, the US Federal Communications Commission and the Office of the National Coordinator for Health Information Technology (ONC) came together with the private sector to look into the full scope of risks associated with new technologies including mobile medical apps, clinical decision support software, telemedicine devices, and a host of others. This assessment was conducted under the FDA Safety and Innovation Act, and ultimately, when followed by the 21^st Century Cures Act, drew some fairly clear lines to distinguish technologies that would receive significant regulatory scrutiny from those that would not. During this same period of time, we saw a sudden uptick in the healthcare sector in exploitation of vulnerabilities and weaknesses in software, a phenomenon we now know well as “cyberattacks.”

Even though the attempt to “deregulate” was aimed at easing the market deployment of innovative new healthcare technologies, it left many manufacturers wondering how they would deal with the lack of a regulatory safety net to help them establish market confidence in the security of the innovative new products that were being launched.

Emergence of healthcare cybersecurity standards

This became the role of Voluntary National Consensus Standards, such as ANSI/CAN/UL 2900-1 and ANSI/CAN/UL 2900-2-1 (the Standard for Safety - Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems), which were also formally recognized by FDA as well as several other regulators around the world for the role they could play in security assurance.

The requirements of these standards address the following key issues to ensure an acceptable level of cybersecurity hygiene:

• Establishing that manufacturers have characterized and documented the technologies used in their products that could constitute an “attack surface.”
• Requiring threat modeling based on intended use and relative exposure.
• Demonstrating the effective implementation of security controls protecting both sensitive data (e.g. PII, PHI) and also other assets such as command and control data.
• Providing objective evidence that software weaknesses and vulnerabilities have been appropriately dispositioned and further verified via Penetration Testing.
• Promoting defensive design (e.g. defense-in-depth, partitioning, etc.).
• Helping ensure system robustness (e.g. fuzz testing/malformed input testing).
• Monitoring for security events.
• Logging of security events.
• Managing security logs.
• Updating software to address safety, essential performance, and security issues.
• Handling failures in the software update process (e.g. roll-back).
• Controlling the security of  purchased components.
• Managing of sensitive data.
• Securing remote product management functionality.
• Decommissioning in a manner that protects patient data (e.g. purging of PII / PHI).

These standards were developed by the Standards Technical Panel, a multi-stakeholder National Consensus Body assembled under the ANSI Canvass process to represent the various interests in the cybersecurity from across the sector, including, hospitals, academia, manufacturers, component vendors, clinicians, patients, and many others.

What to look for in third-party cybersecurity management support

For connected medical device and technology developers seeking third-party support for successful product development, market access and regulatory compliance, identifying partners with the experience and capability to work with them as well as their component vendors and healthcare system integrators is crucial. Viable third-party consultants and advisors to medical product developers should be able to provide support during all phases of a product lifecycle:

• Product Conception – helping innovators understand cyber risks and the regulatory landscape.
• Requirements Engineering and Architectural Development – bringing concepts like security “defense-in-depth” into early product development conversations.
• Detailed Design – helping manufacturers understand how to “build security in” proactively rather than reactively trying to “bolt it on” when there is a problem in the field.
• Implementation – helping with questions like, “How do I manage programming language weaknesses?” and, “What are the regulators going to expect from me?”
• Verification, Validation, and Testing – penetration testing, static binary analysis, static source code analysis, malware testing, malformed input testing (aka “fuzzing”) and many other V&V activities are needed to build assurance in the market that connectable products meet security standards.
• Operation and Maintenance – unlike traditional product safety (e.g. electrical and mechanical aspects), where product failure modes are fairly static, cybersecurity introduced the notion of a constantly changing threat landscape where new adversaries and attack vectors are constantly arising as new vulnerabilities in software are found. 

Ken Modeste is Director and General Manager, Digital Health at UL Life & Health Sciences.

Related medical device cybersecurity and regulatory resources from Emergo by UL:

• Healthcare cybersecurity risk management and procurement support
• US FDA cybersecurity guidance consulting
• Webinar: Mapping cybersecurity standards to FDA guidance