Medical device security has evolved significantly over the past decade. Regulators, customers, and the mission of manufacturers to improve patient outcomes while also protecting patients’ personally identifiable health data has resulted in an increase in maturity throughout the medical device industry. This growth is further supported by industry groups (e.g., Association for the Advancement of Medical Instrumentation; AAMI, Healthcare Sector Coordination Council; HSCC, International Society of Automation; ISA, International Electrotechnical Commission) working to establish standards and guidance (e.g., AAMI TIR57, AAMI TIR97, HSCC Model Contract Language, ISA/IEC 62443) to assist in defining leading practices medical device manufacturers can leverage.

As the world has evolved, manufacturers have taken a look at their approach to securing their medical devices and are increasingly building and maturing capabilities to embed security throughout the product development lifecycle.

Manufacturers with a strong emphasis on medical device security are committed to building product security capabilities across their products team and remaining agile to evolve with regulatory and customer requirements and product team needs. Further, they focus on continuous improvement with the ability to pivot and respond to any opportunities or change in environment or threat level.

To help leaders reflect on their approach to medical device security and help manufacturing processes meet the needs of tomorrow, we’d like to highlight five current trends in medical device security:

• Medical devices are becoming increasingly connected through digital transformation, producing large amounts of data that need to be protected and can be leveraged to perform advanced analytics, which have the power to help improve patient outcomes and health care delivery. Medical device manufacturers should seek to expand and tailor their medical device security team capabilities, skillsets, and coordination (such as those between Information Technology, Information Security, Medical Device Security, and Research & Development) to allow for integration of security into digital development practices, inclusive of alignment to more Agile and DevSecOps practices.
• The involvement of medical device security has been shifting left—or earlier—in the device lifecycle as manufacturers look to implement a secure product development framework (SPDF). The medical device security team is being engaged earlier in the product lifecycle by the development team – sometimes starting as early as the conception phase.  As demand for medical device security resources in development teams grow, manufacturers should work to expand teams of medical device security architects and engineers – either as full-time employees or contractors to assist with the execution of medical device security processes and the secure design and engineering of medical devices.
• Once viewed as a function that did not need an executive to lead the medical device security function, reporting structures are reaching higher than ever before to Vice President or higher-level ownership. Teams are also growing wider with dedicated headcount serving teams across business units and product development teams. To both assist with corporate culture advancements around medical device security and the ability to attract medical device security talent, manufacturers should consider elevating the medical device security team leader to a Chief Product Security Officer position with board-level visibility and engagement.
• The burden of proof for security is now more on the manufacturer than ever before. As part of procurement efforts, medical device manufacturers need to demonstrate medical device security maturity as a vendor while also demonstrating that their devices are safe and secure. To address this and build a reputation of trust, many manufacturers and those in their supply chains are proactively sharing security information. This security information should demonstrate the medical device security capabilities that are in place, the security safeguards of the device that allow it to be safe and secure, and compliance with regulatory and customer requirements.
• Many medical device manufacturers are not prepared to generate or maintain a software bill of materials for each of the devices in their portfolios. While building and maintaining such an inventory is time-intensive, it’s become a top priority for most manufacturers driven by regulatory requirements, customer demands during purchasing, and the need for manufacturers to be able to perform ongoing post-market surveillance and risk management. Manufacturers should build capabilities to inventory and maintain a software bill of materials for each medical device within the organization’s portfolio. These software bills of materials can then be leveraged for sharing with external parties and for proactive vulnerability monitoring and incident response

As technology ages and innovation continues, the criticality and complexity of making medical devices safe and secure will only increase. Effectively establishing, integrating, and operating safety and security risk management processes throughout the medical device lifecycle can not only assist medical device manufacturers, but also health care providers in achieving the end goal of improving patient outcomes and keeping devices and data safe and secure.

Article Source: MPO