_________________________________________________________________________________________________________________Proceedings of the Central European Conference on Information and Intelligent Systems 237 An Overview of Cybersecurity Regulations and Standards for Medical Device Software Nadica Hrgarek Lechner MED-EL Elektromedizinische Geräte GmbH Fürstenweg 77, 6020 Innsbruck, Austria [email protected] Abstract. This paper discusses current cybersecurity 1970, Ware finalized a report about security controls regulations and standards for medical device for computer systems and emphasized that design of a software set by government agencies and agencies secure system must provide protection against the developing industry and international standards such various types of vulnerabilities such as accidental as the FDA (Food and Drug Administration), CFDA disclosure, deliberate penetration, active infiltration, (China Food and Drug Administration), ISO and physical attack (Ware, 1970). Ware (1970) stated (International Organization for Standardization), IEC the following general characteristics as desirable in a (International Electrotechnical Commission), UL secure system: flexible, responsive to changing (Underwriters Laboratories), and others. The operational characteristics, auditable, reliable, concepts described within this paper can be utilized manageable, adaptable, dependable, and assuring by medical device manufacturers in order to establish configuration integrity. a cybersecurity program as part of their quality Burns et al. (2016) identified four periods in the management systems. In general, there are three history of medical devices which evolved from the complementary ways based on the NIST (National non-networked and isolated equipment to networked Institute of Standards and Technology) cybersecurity devices incorporating remote access, wireless framework that can be used to remove gaps in the technology, and complex software. The first period organization’s cybersecurity. The first way focuses on (1980s–present) involved concerns about the complex designing software products that take cybersecurity systems and accidental failures. The second period into account (i.e., prevention). The second way is to (2000–present) involved concerns about the security perform security and penetration testing and to apply and reliability of implantable medical devices. The other cybersecurity controls to reduce attacks and third period (2006–present) raised questions about the vulnerabilities that could be exploited (i.e., detection). vulnerability of medical devices to unauthorized The third way emphasizes maintenance plan in case parties. In the fourth period (2012–present), attention of a cyberattack (i.e., response and recovery). has turned to the cybersecurity of medical devices. A recent KPMG’s survey (2015) of 223 healthcare Keywords. cybersecurity, FDA, information security, executives revealed many information security medical device software, security risk management concerns: malware infecting systems, HIPAA (Health Insurance Portability and Accountability Act) violations/compromise of patient privacy, internal vulnerabilities related to employee theft/negligence, 1 Introduction medical device security, and aging IT hardware. According to a recent study from the Ponemon This paper is divided into five sections. The first Institute (2016), healthcare organizations experience, section focuses on history and cybersecurity in the on average, a cyberattack almost monthly as well as context of medical devices. Definitions of the key the loss or exposure of sensitive and confidential terms used in this paper are provided in the second patient information. Arxan’s (2016) study on section. The third section provides an overview of the application security reveals that 90% of 126 mobile cybersecurity regulations, standards, and guidelines health and finance apps tested had at least two critical for medical device software. The fourth section security vulnerabilities. investigates how to incorporate cybersecurity into the In January 2017, the U.S. Food and Drug quality management system. Some conclusions are Administration issued a safety communication drawn in the final section. confirming cybersecurity vulnerabilities found in St. Cybersecurity is a complex, multidisciplinary Jude Medical's Merlin@home wireless transmitter computing-based discipline that has its roots in the that could affect the company's line of implantable 1960s. First paper on security and privacy in cardiac devices (“Cybersecurity Vulnerabilities computer systems was published by Ware (1967). In _________________________________________________________________________________________________________________ 28th CECIIS, September 27-29, 2017, Varaždin, Croatia _________________________________________________________________________________________________________________238 Proceedings of the Central European Conference on Information and Intelligent Systems Identified in St. Jude Medical's Implantable Cardiac Security is “protection of information and data so Devices and Merlin@home Transmitter: FDA Safety that unauthorized persons or systems cannot read or Communication”, 2017). Two months later, the FDA modify them and authorized persons or systems are issued a warning letter to Abbot. The company failed not denied access to them” (ISO/IEC 12207, 2008, p. to confirm that all required corrective and preventive 7). The most common security objectives are as actions were completed to correct and prevent follows: data confidentiality, data integrity, access recurrence of potential cybersecurity vulnerabilities control, authentication, authorization, and non- associated with its Merlin@home device, originally repudiation. manufactured by St. Jude Medical (“Abbott (St Jude Threat is “a circumstance or event that has or Medical Inc.) 4/12/17”, 2017). In August 2017, the indicates the potential to exploit vulnerabilities and to FDA issued another safety communication confirming adversely impact (create adverse consequences for) a firmware update that was needed as a corrective organizational operations, organizational assets action to reduce the risk of patient harm due to (including information and information systems), potential exploitation of cybersecurity vulnerabilities individuals, other organizations, or society” (“A for certain Abbott implantable cardiac pacemakers Glossary of Common Cybersecurity Terminology”, (“Firmware Update to Address Cybersecurity 2017). Vulnerabilities Identified in Abbott's (formerly St. Vulnerability is a “weakness in an information Jude Medical's) Implantable Cardiac Pacemakers: system, system security procedures, internal controls, FDA Safety Communication”, 2017). or implementation that could be exploited or triggered by a threat source” (AAMI TIR57, 2016, p. 5). 2 Key Definitions 3 Cybersecurity Regulations and This section provides definitions of the key terms. Standards for Medical Device Asset is “a person, structure, facility, information, and records, information technology systems and Software resources, material, process, relationships, or reputation that has value” (“A Glossary of Common In this section we provide an overview of currently Cybersecurity Terminology”, 2017). published cybersecurity regulations, standards, and Availability aims to keep information accessible guidelines in the context of medical device software. when it is needed (Svensson, 2016). This overview can serve as an input to establish and Confidentiality aims to prevent sensitive maintain procedures that address cyberattack information (e.g., medical records) from falling into prevention, detection, and response/recovery. the wrong hands (Svensson, 2016). Cybersecurity is “the process of preventing 3.1 FDA and CFDA Guidance Documents, unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is ISO/IEC 29147, and ISO/IEC 30111 stored, accessed, or transferred from a medical device The FDA has issued three guidance documents on to an external recipient” (FDA, 2014, p. 3). cybersecurity listed in Table 1. The FDA guidance “Cybersecurity ensures that appropriate safeguards documents (2014, 2016) are applicable to devices that are in place to reduce the risk of failure because of contain software (including firmware) or cyberattack, which could be initiated by the programmable logic, and to software that is a medical introduction of malware into the medical equipment device, including mobile medical applications. or by unauthorized access to configuration settings in medical devices” (ANSI/AAMI CI:86, 2017, p. 30). Table 1. FDA guidance documents on cybersecurity Data and systems security is defined as “operational state of a medical device in which Year Title information assets (data and systems) are reasonably issued protected from degradation of confidentiality, Guidance for Industry – Cybersecurity for integrity, and availability” (AAMI TIR57, 2016, p. 2). Networked Medical Devices Containing 2005 Information security is “protection of information Off-the-Shelf (OTS) Software and information systems from unauthorized access, Content of Premarket Submissions for use, disclosure, disruption, modification, or Management of Cybersecurity in Medical 2014 destruction in order to provide confidentiality, Devices – Guidance for Industry and Food integrity, and availability” (AAMI TIR57, 2016, p. 3). and Drug Administration Staff ISO/IEC 27000 (2016) defines information security as Postmarket
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages13 Page
-
File Size-