Increasing attack surface area
Thanks to the increase in medical device and information databases connected to internet, there is an increased attack surface area for cyber criminals. With medical professionals and patients able to access information through devices and internet portals, educating both on good cyber security is vital.
Complex supply chains and stakeholders
Understanding and reducing vulnerability in devices and embedded systems is no small task. Medical device manufacturers need to employ secure by design in the Software Development Lifecycle (SDL), secure access, understand and address vulnerability and protect, detect and respond to malware. Furthermore, software bill of materials can be extensive and cyber security must be addressed across the supply chain. However, stakeholders such as medical professionals, hospitals and the end users must also be considered.
Cutting though the complexity of industry guidance
No single framework addresses the multitude of quality and security concerns. For example, the FDA are proposing to ‘advance medical device safety by explicitly requiring that medical device manufacturers design cybersecurity into their devices and by ensuring that FDA and the public have certain information about device cybersecurity.’ There are also plenty of internationally recognised standards. However, understanding and applying industry accepted best practice, e.g., ISO27001, ISO 14971:2019, IEC62443, IEC62304 ISO 14971:2019 ISO13485 can be daunting.