Health information has always been a valuable target for malicious actors. Unfortunately, the proliferation of connected medical devices has created an increasing attack surface for them to target. This problem is made worse given that many medical manufacturers often use legacy systems, which lack state of the art cybersecurity and are easier to breach. As a result, governments in the United States, Canada, European Union, and other jurisdictions have set up cybersecurity regulations to protect patients and ensure medical device manufacturers effectively address vulnerabilities. While the regulatory specifics differ and are constantly being updated to strengthen protections, they follow generalized best practices that cover devices for the duration of their lifetime. Following these standards not only helps keep you compliant but makes sure you’re offering your customers and their patients secure medical devices.
As with other industries, cybersecurity testing and regulatory compliance for medical manufacturers is not a one-size-fits-all process. What needs to be done will always depend on what stage your company is at, what stage of development your products are at, what cybersecurity measures you already have in place, as well as other variables. Leaving aside these variations, here are six cybersecurity focuses to maintain best practices in the medical device manufacturing industry.
6 Areas of Cybersecurity Focus for Connected Medical Device Manufacturers
1. Compliance and Security Landscaping
The first step in meeting compliance and best practices cybersecurity is to have your security landscape mapped out. While established companies will likely already have this completed, less mature companies will be less well versed in this area. Compliance might sound straightforward enough, though changing compliance regulations and misinformation can make staying up to date with implementation difficult. Likewise, mapping out your IT infrastructure, including situating endpoints and network devices, is necessary to know what cybersecurity measures need to be put in place. This is about more than just checking boxes on a compliance list. It’s about achieving true protection against cyber threats.
2. Managed Detection and Response
Managed detection and response (MDR) entails outsourcing your cybersecurity services to protect data and assets. Certainly, you may have a cybersecurity system already in place. But your system is only as good as the people behind it. Trying to build up your cybersecurity internally can be costly, particularly when you’re trying to keep up with the ever-evolving nature of cyberattack schemes. Outsourcing detection and response to experienced professionals ensures that your system is running correctly, updated regularly, and any potential gaps are detected and secured immediately.
3. Endpoint Security
Each device is an endpoint which, if not secured, can give malicious actors access to medical devices and the IT infrastructure they are connected to. This can result in breaches of Protected Health Information (PHI), which can result in fines and reputational damage. Consequently, endpoint security is one of the biggest concerns with medical devices. Luckily there are now advanced endpoint security solutions, such as CrowdStrike. CrowdStrike is a cloud-native endpoint security platform that can be used by medical device manufacturers and has been validated to provide HIPAA compliance. Given its next generation technology, CrowdStrike has a partnership with the US’s Cybersecurity and Infrastructure Security Agency (CISA) to provide endpoint security for government agencies. It also has partnerships with major medical device manufacturers, like Nihon Kohden.
4. Vulnerability Assessment
Vulnerability assessments provide a snapshot of the vulnerabilities that exist within your security environment, such as unpatched or misconfigured network services. With medical devices, this means checking to see if there are entry points that malicious users can exploit to enter your system. A vulnerability assessment supplies a baseline for you to fill in gaps and make sure your system is secure. Vulnerability assessments should be undertaken regularly, particularly after configuration changes, updates, integration of new technology, and migration of existing data.
5. Penetration Testing
A central part of cybersecurity for medical device manufacturers is penetration testing (or pentesting). Pentesting involves a simulated attack on your devices to see if there are any vulnerabilities that could be exploited by malicious actors. While there are various techniques in pentesting, including passive and active simulated attacks, the point is that you need to conduct pentesting to make sure that your devices can’t be penetrated, such that malicious actors can gain access to the device and the network it is connected to. While many companies conduct pentesting internally, it’s best to contract it out to third parties with cybersecurity expertise and a different outlook on your devices.
6. Ongoing Security Information and Event Management
A final focus of cybersecurity for medical device manufacturers is ongoing Security Information and Event Management (SIEM). That is, the focuses above largely involve testing the environment. But you also need to have cybersecurity safeguards running full time. This can be achieved with a Security Operation Center (SOC) and SIEM. SOC and SIEM solutions amount to being your command center, where you monitor your network and devices, and your defense center, which logs and combats any security events that arise. These provide you with real-time security to monitor any intrusions into your devices or systems and prevent malicious users from gaining access to them.
NaviSec: Security Testing Tailored to Your Needs
While these present some key cybersecurity focuses, each company’s cybersecurity needs differ, depending on where you are in developing your product and building your company. Because no two companies are the same, NaviSec works with clients to offer custom packages that meet their needs. If, as a medical device manufacturer, you need to address all of the above areas of concern, we have packages that offer a full suite solution. But if you’re just looking for pentesting, vulnerability assessment, or endpoint security alone, we still have you covered. We have some of the best cybersecurity engineers in the world and offer custom solutions and management for third-party platforms, including CrowdStrike.
Our approach is to consult with clients on a security audit to see where their security gaps are and to fill them in. Contact us for a free consultation to assess your cybersecurity needs.