Collaborative Security for Medical Devices – Best Practices for Device Manufacturers and Healthcare Delivery Organizations

As healthcare systems become increasingly digital and interconnected, ensuring that the availability, confidentiality and integrity of medical devices is protected is critical for patient safety and for the security and privacy of health data. Cyberattacks can lead to the malfunction of life-saving equipment, unauthorized access to sensitive patient data and overall disruption of healthcare services. Thus, a coordinated approach between MDMs and HDOs is necessary to mitigate these risks effectively. Simply put, medical device security should be considered a team sport.

Only recently have MDMs officially been charged with or expected to include security features within the design of medical devices, enabling these devices with default or optional security settings, configurations, etc., (e.g., drive encryption or secure authentication mechanisms like usernames and passwords or pin codes) where possible. Concurrently, HDOs have been responsible for implementing and maintaining the security of devices within their organizations (e.g., understanding and configuring the embedded security settings and placing them in appropriate and secure network segments). However, as the devices and the environments within which they are being used continue to become more technically complex, achieving a secure state of being has become increasingly difficult. To that end, some MDMs are seeing recent success in providing additional medical device security guidance and collaboration as a competitive advantage against their peers in the marketplace.

MDMs and HDOs can collaborate using the following strategies to ensure the safety of their patients and the security and privacy of their data:

1. Document and share a roles-and-responsibilities matrix. MDMs and HDOs must acknowledge that both parties play pivotal roles in designing, implementing and maintaining device security across various stages – from manufacturing through end-of-life disposal. Organizations should document and record specific roles and responsibilities each entity will play, along with service-level agreements (SLAs) which may already be contained within the contractual language and use those as a barometer for future analysis of how each organization is complying with their specific tasks. This documentation can include, but should not be limited to:

• The creation, updating and delivery of a manufacturer disclosure statement for medical device security (MDS2) and software bill of materials (SBOM)
• Execution of periodic risk assessments
• Identification of potential vulnerabilities
• Patch management (e.g., device software, firmware and servers)
• Regular operational maintenance on devices

2. Utilize MDS2 forms, SBOMs and user manuals. One of the easiest ways for MDMs and HDOs to share critical device security information is through the use of MDS2 forms,SBOMs and device user manuals. These documents continue to gain traction in the industry as the standard for security collaboration.

• MDS2: The newest version of the MDS2 form template contains more than 200cybersecurity questions and descriptions.
• SBOM: While the community doesn’t have a definitive template for the SBOM yet,this document should contain an inventory of all the software-related parts, piecesand components that make up the medical device and the platform it uses. This helps HDOs identify and track any risks and/or vulnerabilities inherently included within the device that may not be distinctly disclosed by the MDM as part of the product.This is very useful for disclosures of issues like zero-day vulnerabilities. MDMs should focus on creating, updating and delivering these documents, while HDOs should remember to ask for the documents, leverage their content to understand and implement devices securely, then add them to their accessible inventory for future use as needed.
• User Manuals: This is the single most currently utilized document by HDOs andt heir medical device teams. Key considerations about how devices should be configured, default settings and accounts/passwords changed, user authentication integrations, etc., should be a key component of these manuals that can be better utilized by HDOs to ensure the most optimal setups are occurring. Additionally, these manuals describe the needed preventive maintenance cycles that could be expanded to check for key security configuration and controls as part of the optimal operation to better ensure patient safety.

3. Develop and distribute device whitepapers and implementation guidance. Many MDMs have developed and distributed device-security white papers to help their customers and patients understand device cybersecurity at a higher level using layman’s terms. These papers can provide directional intent, show broad capabilities and convey a commitment to security. Taking this idea one step further, MDMs and HDOs can collaborate to develop custom device implementation guidance, which can create a true competitive advantage when trying to sell devices to hospital systems. An extra advantage is gained by those who develop and maintain data flows and network diagrams detailing where and how electronic protected health information (ePHI) is shared over the hospital and/or vendor networks between the platforms, applications, databases, infrastructure, etc.

4. Join and participate in information-sharing consortiums and working groups. MDMs and HDOs should foster transparency between their organizations and seek to further their own education by joining and participating in information-sharing consortiums and working groups such as the Medical Device Information Sharing and Analysis Organization (MedISAO), Health Information Sharing and Analysis Center (H-ISAC), Healthcare Information and Management Systems Society (HIMSS), Medical Device Innovation Consortium (MDIC), Health and Human Services (HHS) 405(d) Program to align healthcare industry security practices, the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, Archimedes Center for Healthcare and Medical Device Cybersecurity, and more. These organizations each have differing viewpoints and objectives but can provide great platforms for both MDMs and HDOs to gather and share knowledge and work collectively on medical device security.

5. Conduct joint cybersecurity risk assessments. Organizations can partner to conduct periodic joint risk assessments leveraging tools like NIST’s Cybersecurity Framework to determine vulnerabilities specific to integrated environments. This can be particularly helpful if the device or platform being assessed is technically complex and/or situated within a vendor’s network within the health system. Teams can review the roles and responsibilities matrix, as mentioned above, alongside the MDS2 form to identify potential vs. implemented security configurations and options. Organizations can leverage a medical device security lifecycle assessment (see figure below) for projects such as this.

6. Coordinate incident response (IR) and resiliency planning with MDM partners. Oftentimes, HDOs create their incident response plans (IRPs) in a vacuum and don’t include other organizations in any planning or response or resiliency efforts. This is a mistake. HDOs should leverage their relationships with their MDM partners to request assistance and support in the following IR-related activities:

• Easy identification and warm storage of device backup configurations
• Potential contracts and agreements for replacement devices in the event of widespread incidents
• On-demand technical support in the case of an incident
• Participation in tabletop exercises to test IR plans and coordination

7. Leverage training, education and awareness. Historically, MDMs designed devices; HDOs (biomed teams) implemented, used and maintained those devices; and, more recently, HDO cybersecurity teams protected those devices from cyber risks and threats. These teams simply didn’t share knowledge, skills and/or experience. Going forward, these teams must work together to share best practices and determine how to best secure devices to protect patient health and safety and their data. Specific training and awareness components and programs can be leveraged from each source to collectively increase capabilities around securing and protecting medical devices. Easy examples of this include flyers and brochures, email newsletters, and even simple partnership commitment statements.

Enhancing cybersecurity in medical devices requires concerted efforts from both MDMs and HDOs. By adopting best practices recommended by regulatory bodies like the FDA and aligned with international standards such as the International Organization for Standardization (ISO) and NIST guidelines, organizations can build a robust defense against cyber threats. Collaboration is key. Sharing responsibilities, knowledge and strategies will lead not only to more secure products but also to safer healthcare delivery systems where patients' well-being remains paramount.

Medical device lifecycle review

The medical device lifecycle review program outlined below was developed with guidance from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), the FDA pre/post guidance, and the HIPAA Security Rule to develop an assessment program for medical device security that covers key controls that constitute an effective medical device security program.

Function		Control Category
Image	Strategy & Governance	Medical Device Security Program & Strategy Risk & Control Framework/Risk Management Processes Policies & Procedures Organizational Leadership & Team Integration Procurement Planning & Requirements
Image	Identify & Track	Asset Inventory, Categorization, and Prioritization Risk Assessment & HIPAA Risk Analysis Data Flow Documentation
Image	Protect	Access Control, Data Security, and Network Segmentation Manufacturer Disclosure Statement for Med Device Security (MDS2) Vulnerability & Patch Management Awareness and Training Device Handling Procedures
Image	Detect	Security Incident Identification, Logging, & Monitoring Loss & Theft Detection & Reporting Continuous inventory Monitoring & Vendor Alerts
Image	Respond	Incident Response Plan Periodic Incident Response Plan Testing Incident Tracking & Handling Forensic Capabilities & Processes
Image	Recover	Disaster Recovery & Business Continuity Lessons Learned/Postmortem Exit from Lifecycle/Decommission

NIST, FDA, & HIPAA-Based Assessment

The assessment framework developed heavily leverages the NIST Cybersecurity Framework. This framework has been extremely popular due to its "attack focused' organizational structure. The FDA's pre/post medical device security guidance leverages CSF, and both control frameworks integrate with the HIPAA Security Rule standards and implementation specifications.