Steve Rogerson attended a joint webinar by Digi and Bytesnap on how medical device manufacturers should handle increased cyber-security regulations.

I have a pain in the neck, literally. After giving me much physiotherapy and exercises, the doctor decided late last year that I needed an MRI scan to work out exactly what was going on in there.

The problem, and it is a common one for the UK’s free health service, it that the waiting lists for such treatments are long; we are talking months. There are so many people, as they should, using the service that at times it is straining at the seams. Though that has improved recently, there are still very long waiting lists for even basic treatments, as I found, and hospital beds are in high demand leading to the well-publicised sights of people on trolleys being treated in corridors.

One way health services, both in the UK and elsewhere, are trying to alleviate the pressures is by turning to IoT technology that allows more people to be treated and monitored away from hospitals. That means at home.

The technology challenges from that were outlined in an IMC webinar I attended this week given by Andreas Burghart, senior product manager at Digi (www.digi.com), and Graeme Wintle, a director at design consultancy Bytesnap (www.bytesnap.com). Andreas pointed out that healthcare was one of the fastest growing segments in the industrial IoT field driven by the need for real-time data. But, and it is a massive but, taking these data outside the hospital environment raises serious concerns regarding security.

“Devices are now operating in less secure home networks alongside many other devices,” said Andreas.

This increases risk. The security landscape has thus changed significantly, and regulatory bodies have been keeping a close eye. For a long time, the industry has been controlled by guidance and best practices, but incidents and recalls have shown these are no longer enough.

“What we are seeing now is a fundamental shift,” said Andreas. “Governments are moving from recommendations to enforceable law.”

This has happened already in the USA with security requirements being written into law. Manufacturers must demonstrate cyber-security capabilities and they must show the ability to patch devices in the field before the devices are released. Europe is moving in a similar direction. Suddenly medical devices find themselves in the same zone as defence and access control.

These devices are becoming more interconnected and so the attack surface expands. This increases the risk of access to sensitive information including patient data. More seriously, it means medical devices can be manipulated, altering treatments and therapy, affecting decision-making abilities, or even stopping devices from working altogether.

The increased regulations have the goal primarily of protecting patient safety, making sure a cyber issue does not disrupt treatment. Regulators expect a risk-based approach.

“They don’t expect perfection,” said Andreas.

What they do expect is manufacturers to know the risks, to prioritise them and show they have been reduced to an acceptable level. They want transparency and traceability in how the risks have been tracked from identification and throughout the lifecycle of the product. Cyber security is a moving target so the processes must keep evolving as the risks change.

“Our customers want some sort of automated continuous monitoring,” said Graeme, adding that manufacturers needed to demonstrate checks and fixes were happening. And all this must be audited to show what changes have been made.

This means in practice that all software components running on the device must be included in the software bill of materials (SBoM) and the SBoM itself must be a living document that is updated continuously. Included should be open-source software, commercial software and internally developed applications. Also, software versions need to be listed because vulnerabilities often get fixed in later versions.

The SBoM also must be linked to known vulnerabilities otherwise it is just an inventory. This means security needs to be embedded into the software development lifecycle and not treated it as a post-launch add on. Manufacturers need to understand how emerging vulnerabilities can affect already launched products.

“Continuous security is a requirement, not an option,” concluded Andreas. “SBoMs are becoming operational tools for managing real-world vulnerabilities. You need to design security in from day one and maintain it for the full product lifecycle.”

If you want to watch the full webinar, you can register to do so at www.bytesnap.com/news-blog/medical-device-security-webinar/. You can also request a free one-hour Digi security consultation at hello.digi.com/free-security-consultation.

And for those of you interested, my MRI scan is now scheduled for the end of February.