The health care cybersecurity challenge
In their premarket guidance released in October, 2014, the FDA has stated, “FDA will not typically need to review or approve software changes made solely to strengthen cybersecurity.” This means that medical device manufacturers have the freedom to patch and update fielded products for cybersecurity vulnerabilities without FDA review. This is good news, however, it solves only a portion of this complex problem. The amount of effort involved for the medical device manufacturer to monitor for critical security vulnerabilities, assess the potential impact of those vulnerabilities on fielded product, and ultimately package and deploy those patched systems is enormous. And, more importantly, most medical device manufacturers do not already have these processes in place, so would need to begin with building the capabilities before even being able to address the issue.
In addition to the implementation of entirely new processes, requiring potentially new skill sets, medical device manufacturers are challenged by the continuous discovery of vulnerabilities that must be addressed. Unlike other industries wrangling with the same cybersecurity issues, in health care, patient safety is critically important. So simply applying the latest patches without thoroughly understanding the potential impact of those patches on other parts of the system, is not an option.
Ad Statistics
Times Displayed: 19851
Times Visited: 370 Stay up to date with the latest training to fix, troubleshoot, and maintain your critical care devices. GE HealthCare offers multiple training formats to empower teams and expand knowledge, saving you time and money
Typically, the existing testing infrastructure can be leveraged to verify and validate the safety of a device after a cybersecurity vulnerability has been patched. However, it is important to thoroughly understand the potential impact of a patch on the system by identifying all of the affected components. In other words, when patching for a specific vulnerability, tests must be performed to determine if there is an impact elsewhere in the system, potentially on a component that directly interacts with the portion of the system that was patched. Again, most organizations are adept at testing, however, the challenge remains that cybersecurity vulnerabilities are evolving at a pace that will require the modification of current processes in order to meet this tremendous demand. Through continuous monitoring of cybersecurity vulnerabilities and the evolving threat landscape, assessment and prioritization of potential threats and diligent application and thorough testing of patched systems, organizations can begin to respond to the health care cybersecurity challenge.
