TLP: WHITE This report may be shared without restriction.
Health-ISAC Members be sure to download the full version of the report from the Health-ISAC Threat Intelligence Portal (HTIP)
Key Judgements
Medical devices go through four lifecycle phases, with varying levels of responsibilities placed on the medical device manufacturer and the healthcare delivery organization.
Healthcare Delivery Organizations should perform more regular risk assessments going into End of Life and End of Support to determine if they can accept the risk of continued use.
The manufacturer implements Security Control Categories in the development phase to ensure that the device is Secure by Design, Secure by Default, and Secure by Demand.
Documentation and Transparency are critical in maintaining cybersecurity. This includes providing detailed security documentation, a Software Bill of Materials (SBOM), and clear communication about vulnerabilities and updates.
As medical devices become more interconnected and have internet and wireless communications capabilities, understanding the lifecycle stages and the tasks needed to maintain their security posture will help organizations secure devices against cybersecurity threats. The device lifecycle is the various stages a device will go through, from research and development, on the market, and eventually, end of life and end of support. As medical devices move through the lifecycle phases, the responsibility for tasks may transfer between the manufacturers and the customer. Communication between the two parties is essential as the device moves through the lifecycle so that tasks are coordinated, and security gaps within the product are reduced.
This document explores the tasks needed to maintain the cyber resilience of medical devices and how the responsibilities may shift from party to party throughout the total product. The responsibility for maintaining a medical device’s cybersecurity posture evolves throughout the lifecycle of a device. The process begins with the device manufacturer during the design and development phase and may increasingly shift to the Healthcare Delivery Organization (HDO) once in clinical use. The International Medical Device Regulators Forum (IMDRF) Principles and Practices for the Cybersecurity of Legacy Medical Devices outlines four lifecycle phases. The Food and Drug Administration (FDA) provides requirements for the cybersecurity of medical devices in the pre-and post-market guidance. Manufacturers can address a device’s cybersecurity during design and development using the premarket requirements. Post-market requirements are needed due to cybersecurity risks continuing to evolve after the medical device reaches the market.
