Governance & Risk Management , Healthcare , Industry Specific
Helping Medical Device Makers Meet Latest Cyber Expectations
Medcrypt's Axel Wirth and Velentium's Christopher Gates on Top Security ChallengesThe threat landscape facing medical devices has evolved over the last few years, and so have the cybersecurity expectations of regulators for these devices. Device makers have become more proactive in meeting the demands, but many still need to better understand the importance of life cycle security risk management and other critical issues, said Axel Wirth of Medcrypt and Christopher Gates of Velentium.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
Many of those and other cybersecurity challenges facing medical device makers are laid out in the recently published second edition of "Medical Device Cybersecurity for Engineers and Manufacturers," a book co-authored by Gates and Wirth.
"The importance of a secure software development life cycle program, designing security into devices from the get-go rather than bolting it on at the end, and continued post-market security management - those are all things that every medical device manufacturer needs to understand and needs to adhere to in order to produce more secure - and therefore safer - products," Wirth said in a video interview with Information Security Media Group.
Congress gave the Food and Drug Administration enhanced authority over medical device cybersecurity in an omnibus spending bill signed into law in December 2022 by President Joe Biden (see Medical Device Security Provision Now Part of Spending Bill).
Since then, the FDA has issued regulations requiring medical device makers to submit a long list of details about the cybersecurity of their products as part of the pre-market submission process. Applications that fail to meet those requirements are rejected.
"The nice part about this is that the FDA has matured," Gates said.
"They have well-educated people in the right positions at the FDA for cybersecurity. So, that makes it a lot easier to swallow. They're not looking for the Aztec calendar. They're looking for threat modeling," he said. "It's the real-world deliverables to make the products more secure."
In the video interview with Information Security Media Group, Wirth and Gates also discussed:
- The cybersecurity implications of OT devices in healthcare;
- Security issues involving artificial intelligence and machine learning in medical devices;
- Top medical device cybersecurity considerations for healthcare delivery organizations.
Wirth has more than 30 years of industry experience, including extensive work with medical devices and health IT, and has held leadership roles at companies including Siemens, Analogic, Mitra, Agfa and Symantec. Wirth is also an adjunct professor of medical device cybersecurity at the University of Connecticut.
Gates has over three decades of experience developing and securing medical devices. He is currently a co-chair of the Health Information Sharing and Analysis Center's Medical Device Security Council.