Identifiying Cyber Risks in Medical Device Software

Innoculate now! (or pay the price later...)

  • Authored by: Mark DuVal
  • Published on: October 30, 2018
Don't be caught unprepared

Would you risk driving your car without insurance? Maybe you would - if it was for a short drive, or an emergency. But what about doing this for months, or years?

Almost everyone working in business today has heard about the barrage of threats we have from sources trying to steal, damage, or hold ransom our digital data. Today the focus of attacks has expanded beyond "phishing" attempts on our email or internet accounts. Now even our devices may be turned against us if we do not take steps to protect ourselves and our customers. The numbers of attacks have grown exponentially over the last five years, and there does not seem to be any decrease in sight. All of us know someone who has experienced some form of attack.

In today’s world, having an inadequately protected medical product (whether it be a hand-held device such as a smart phone application, or a server based medical database) is a lot like driving a car without insurance. If you gamble doing this long enough you will lose!

One way to begin assessing cyber risks is to perform an audit of your current policies...

You may say to yourself – "but my servers are encrypted and backed up", or "our IT restricts access to questionable websites". These are important, but are they enough in today’s world? Most notified bodies today such as FDA are increasing mandates that your business consider and mitigate risks related to loss of data or personal information, and your susceptibility to malware. And the need for protection goes beyond just shippable products.

Consideration needs to be given to impact from contamination or loss of clinical or patient data as well as impact to product that is shipped to patients. An intrusion that compromises your (or even your vendors) privacy can have dire consequences to your ability to ship essential components, and may be a risk you have not considered.

Framework for Improving Critical Infrastructure Cybersecurity
Visit Source National Institute of Standards and Technology

One way to begin assessing cyber risks is to perform an audit of your current policies. The FDA publishes a guidance (Postmarket Management of Cybersecurity in Medical Devices) that provides valuable information to assure you understand and cover all of your bases. The FDA guidance recommends consulting the "Framework for Improving Critical Infrastructure Cybersecurity" ( that has been developed by the National Institute of Standards and Technology (NIST) as a tool to aid in drafting a well-structured cybersecurity policy. This document provides information on creating a comprehensive defense against cyber threats.

Mitigating cybersecurity risks involves more than just ensuring your data is encrypted and backed up. Be sure that you understand the big picture, or you may find yourself with an "accident" that you are not adequately covered for in your risk management plan.

We can help you assess your security risks to identify and fill gaps in your cybersecurity risk profile!

Cybersecurity is a growing area in the industry and it is extremely important. Call us today to discuss your Cybersecurity needs.

The information on our site is not intended to provide specific legal advice.
Helping clients be appropriately aggressive, yet compliant. TM