Risk Assessment During the Product Life Cycle Stages
Tech Nation blog written by Phil Englert, Health-ISAC VP Medical Device Security
March 1, 2024
Managing the Cyber Risk of Medical Technology Requires a Partnership Between the Manufacturer and the Healthcare Provider
In the previous column, I introduced the International Medical Devie Regulators Forum (IMDRF) publication “Principles and Practices for the Cybersecurity of Legacy Medical Devices” (N70) and the four life cycle stages – development, support, limited support, and end of support (EOS). The N70 document contains recommendations for three responsibility areas – communications, risk management and transfer of responsibility. It makes clear how the responsibilities shift from medical device manufacturer (MDM) to health care provider (HCP) as the product life cycle progresses. In this installment, I will review the risk assessment efforts and the transfer of risk likely occurring at each of these stages.
During the development stage, the risk assessment responsibility falls entirely on the product manufacturer as they design and determine needed controls based on the intended use of the medical device. These activities include threat modeling, risk assessments and security testing to ensure the controls and mitigations are effective. The security assessment also includes vulnerability identification and risk identification based on the device security design, controls and mitigations.
The product manufacturer also develops a plan for post-market monitoring of cybersecurity vulnerabilities and ensuring the availability of security patches and mitigations based on device risk capabilities. Knowing the requirements will aid HCPs during the procurement and life cycle management planning. During the product consideration and evaluation period, HCPs should request high-level architectures that identify and describe all the communication boundaries including the ports needed and the protocols required as well as the data exchanged and the protections and hardening in place to protect those transactions. This information will help network architect teams determine how to best connect and configure the device on the network to minimize the risks introduced by the product.
Healthcare technology management teams should also seek life cycle maintenance activities. Traditionally, this includes periodic maintenance schedules and determining on-demand maintenance strategies. The update and patching cycle are also important to know. This is another element of the periodic maintenance cycle and HCPs will want to know the frequency of the update and patch cycles and who is responsible for performing the work. Is it part of the service agreement? Will the update be made available online and be the responsibility of the onsite HTM staff? The procurement phase is a good time to map out all the service activities and identify who will be responsible for completing each task. A RACI1 matrix is an excellent tool for keeping track of team roles and relaying those responsibilities to the broader team. During the development stage, the IMDRF document does not assign the HCP with any responsibility, but knowing the MDM’s responsibilities can set the stage for cyber success.
The support stage is identified by active marketing, continued product refinement and regular maintenance activities. During the support stage, responsibilities are negotiated between the MDM and the HCP. Maintenance tasks identified in the initial product RACI may be reassigned as time passes because training, skills, capacities and costs change over time. The IMDRF document states baseline security recommendations that become critically relevant during the support stage which starts with a security assessment that considers the operating environment, network segmentation, access controls, inventory management, vulnerability management and more.
HCP staff members will work closely with their local information technology and IT security teams as well as MDM product and support teams to determine the best strategies and role assignments to best protect clinical operations, patient safety, and data privacy throughout the fielded life of the medical technology. During the support stage, the IMDRF recommends that MDMs provide updated security artifacts as well as communicate key life cycle milestones in advance. The IMDRF recommends two to three years’ notice for end of life and end of support milestones, so HCPs have adequate time to consider and prepare for those transitions. Keep in mind that during the support phase, MDMs are still primarily responsible for monitoring the external environment for new and emerging threats and vulnerabilities.
HCPs should establish a communication plan with MDMs to ensure updated Manufacturer Security Statements for Medical Device Security (MDS2), Software Bill of Materials (SBOMs), technical bulletins, recalls, alerts and other security artifacts are communicated to the maintainers of the devices so that record is kept up to date and needed actions are taken. A working and effective communication plan is the best way to ensure a collaborative partnership for maintaining the cybersecurity posture of medical technologies.
During the support stage, capacities and competencies may also change with staff turnover, training, upskilling or outsourcing. Adapting an established support strategy and plan to accommodate any of these events provides HCPs with the best opportunity to maintain mission readiness. It may be as simple as revisiting and updating a RACI and then communicating those changes to each impacted party. Additionally, a well-documented support plan better prepares the HCP to adapt strategies or responsibilities as needed.
The IMDRF N70 document defines end of life (EOL) as “when the manufacturer no longer sells the product beyond its useful life” and end of support (EOS) as “when the manufacturer terminates all service support activities.” Each of these milestones typically involves a transfer of risk from the manufacturer to the HCP. At each stage, the HCP should update the risk assessment for the product. This should include gathering the most current cybersecurity information including MDS2, SBOM and other artifacts.
At EOL, the manufacturer may stop providing product updates that may have included security fixes. Find out when security patches will be made available and who will install them. If you plan to use a device past EOS, get a list of all vulnerabilities present so they can be monitored. Ask the manufacturer for recommended mitigations including segmentation, hardening, access control and configuration settings. Meet with IT and IT security teams to establish a not-to-exceed risk threshold and monitor for new device vulnerabilities and unexpected network traffic as signals for device retirement.
Managing the cyber risk of medical technology requires a partnership between the manufacturer and the health care provider. Understanding the risks at each life cycle stage is essential for managing those risks from stage to stage. Planning is best begun during the procurement process, but can be started at any stage with a risk assessment and a good communication plan between the HCP and MDM.