skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Ovum view

Summary

In late December 2016, the US Food & Drug Administration (FDA) released a final installation of cybersecurity guidelines focusing on postmarket risk management in medical devices. The advice joins earlier premarket guidelines from late 2014, forming a full product lifecycle-based continuum for manufacturers for better protecting the safety of patients in a world with increasingly connected medical devices.

Security starts with design…and is never complete

Today, hacking of connected devices is rarely a deadly threat; a smartwatch may contain sensitive personal communications or account information, but will not cause bodily harm if infiltrated with malware or other malicious code. This is not the case in the expanding world of medical devices, where extremely sensitive biometric data is used to deliver highly personalized medical care, often remotely under the supervision of a doctor. A malfunctioning medical device can stop working, cause an overdose, or potentially kill. With devices becoming more sophisticated and personalized, these dangers are only likely to increase, given that patients or caregivers may not be easily able to manually "override" the devices with standard doses or procedures.

Increasingly, medical devices may be connected to a variety of networks, including those belonging to healthcare facilities and those within the patients' homes, creating multiple involved parties and multiple layers of risk to data and device functionality. Medical devices and the data they transmit are potentially an attractive target for hacking; in the past several years, stolen medical information has surpassed financial data in value on the criminal market. While a credit card number may be easily reset, a patient's health history and biometric details are inextricably tied to their identity, and can be used against them for a litany of nefarious purposes, ranging from extortion to discrimination. Thus, security of devices and privacy of data is a paramount issue in the field of connected medicine.

The emphasis of the new guidelines – in conjunction with the premarket guidelines issued in late 2014 – is that security of these connected medical devices is an ongoing, full-lifecycle management issue. Security products alone, much like in the case of enterprise information management, are not sufficient to address the entire policy and technical basis for cybersecurity risk. Instead, control begins with awareness and policy, and branches out to include procedures for identification of risk, responsibilities for risk remediation, system architecture, maintenance timelines, and supporting technology strategy to achieve these objectives.

The new guidelines for postmarket cybersecurity management of devices take many principles from information management strategy, especially with regard to treating the entire security process as an iterative one that continues throughout the entire lifetime of the product, from creation to cessation of use or replacement. Device-makers are advised to:

  • create a framework for continuous monitoring of device vulnerabilities

  • maintain ongoing relationships with cybersecurity researchers so that vulnerabilities can be identified and patched as soon as possible

  • have a methodology in place for assessing the severity of patient safety risk for any given security vulnerability

  • identify and designate responsibility for data security among all parties that may come into contact with device data

  • maintain robust software lifecycle processes that include mechanisms for monitoring third-party software components and design verification and validation for software updates and patches.

Combined, these strategies clearly require a holistic framework beyond a product "solution" approach. With increasingly sensitive data becoming increasingly connected and vulnerable to threats, security needs to be more deeply engrained in every step of the information management process.

Appendix

Further reading

Software Market Forecast Report: Information Management, 2015–20, IT0014-003162 (December 2016)

"Standards, regulation, and accountability are required to avoid IoT Armageddon," IT0007-000919 (November 2016)

Author

Paige Bartley, Senior Analyst, Information Management

paige.bartley@ovum.com

Recommended Articles

;

Have any questions? Speak to a Specialist

Europe, Middle East & Africa team: +44 7771 980316


Asia-Pacific team: +61 (0)3 960 16700

US team: +1 212-652-5335

Email us at ClientServices@ovum.com

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Email us at pr@ovum.com

Contact marketing - 
marketingdepartment@ovum.com

Already an Ovum client? Login to the Knowledge Center now