Skip to main content

Resources tagged with:
Medical Device Security

Exploring the Cybersecurity Roles of Manufacturers and Healthcare Organizations During the Medical Device Lifecycle

February 4, 2025 | Health-ISAC, Medical Device Security, White Papers

 

TLP: WHITE This report may be shared without restriction.
Health-ISAC Members be sure to download the full version of the report from the Health-ISAC Threat Intelligence Portal (HTIP)

Key Judgements

  • Medical devices go through four lifecycle phases, with varying levels of responsibilities placed on the medical device manufacturer and the healthcare delivery organization.

  • Healthcare Delivery Organizations should perform more regular risk assessments going into End of Life and End of Support to determine if they can accept the risk of continued use.

  • The manufacturer implements Security Control Categories in the development phase to ensure that the device is Secure by Design, Secure by Default, and Secure by Demand.

  • Documentation and Transparency are critical in maintaining cybersecurity. This includes providing detailed security documentation, a Software Bill of Materials (SBOM), and clear communication about vulnerabilities and updates. 

 

Download this white paper.

Exploring The Cybersecurity Roles Of Manufacturers And Healthcare Organizations During The Medical Device Lifecycle
Size : 3.2 MB Format : PDF

Introduction

As medical devices become more interconnected and have internet and wireless communications capabilities, understanding the lifecycle stages and the tasks needed to maintain their security posture will help organizations secure devices against cybersecurity threats. The device lifecycle is the various stages a device will go through, from research and development, on the market, and eventually, end of life and end of support. As medical devices move through the lifecycle phases, the responsibility for tasks may transfer between the manufacturers and the customer. Communication between the two parties is essential as the device moves through the lifecycle so that tasks are coordinated, and security gaps within the product are reduced.

This document explores the tasks needed to maintain the cyber resilience of medical devices and how the responsibilities may shift from party to party throughout the total product. The responsibility for maintaining a medical device’s cybersecurity posture evolves throughout the lifecycle of a device. The process begins with the device manufacturer during the design and development phase and may increasingly shift to the Healthcare Delivery Organization (HDO) once in clinical use. The International Medical Device Regulators Forum (IMDRF) Principles and Practices for the Cybersecurity of Legacy Medical Devices outlines four lifecycle phases. The Food and Drug Administration (FDA) provides requirements for the cybersecurity of medical devices in the pre-and post-market guidance. Manufacturers can address a device’s cybersecurity during design and development using the premarket requirements. Post-market requirements are needed due to cybersecurity risks continuing to evolve after the medical device reaches the market.

2024 Newsletter – December

December 2, 2024 | Health-ISAC, Newsletters

December newsletter features:

  • 2025 Workshop and Summit locations
  • APAC Call for Papers
  • New Cybersecurity Regulatory Working Group
  • Medical device security blog
  • Two white papers:
    • Vulnerability Metrics and Reporting
    • 2024 Annual Health-ISAC Member Satisfaction Survey Results

 

Click Here

 

Text version:

WHERE IN THE WORLD IS HEALTH-ISAC IN 2025?

WORKSHOPS:

Connect with peers and exchange best practices at locations convenient to you. Here are some of the upcoming workshop locations

Q1

  • Bratislava, Slovakia (February 5)
  • Roseville, California (February 27)
  • West Columbia, SC

 

Q2

  • The Netherlands
  • Somerville, MA
  • Sydney, Australia
  • Mentor, OH
  • São Paulo, Brazil

 

Q3

  • Seattle, WA
  • Frederick, MD

 

Q4

  • St. Paul, MN
  • Philadelphia, PA
  • TBD Canada

 

SUMMITS:

Mark your calendars for these invaluable Events.

Also, on September 18-19, Health-ISAC will host the CISO Summit

in Napa, California, exclusively for CISOs.

 

APAC SUMMIT

“Rising Above Threats” March 10-12

Kuala Lumpur, Malaysia

 

SPRING AMERICAS SUMMIT

“Creating Safe Harbors” May 19-23

Naples, Florida

 

EUROPEAN SUMMIT

“All Roads Lead to…” October 14-16 

Rome, Italy

 

FALL AMERICAS SUMMIT

‘Mission Driven” December 1-5 

Carlsbad, California

 

 

APAC SUMMIT

Why Submit an Abstract?

This is your opportunity to contribute, share expertise, gain recognition, and give back to the health security community in the Asia-Pacific region.

Submit your topic.

Registration opens on December 6, 2024, with the Summit Palooza sale – only $99 for Members.

 

 

NEW WORKING GROUP

The Cybersecurity Regulatory Working Group will identify relevant current and future cybersecurity regulations related to the health sector for discussion and sharing of best practices. Members will be able to share information to help ease this burden and educate for rational regulation as appropriate.

Members interested in joining can do so via the member portal.

Learn more about working groups here.

 

RESOURCES

White paper

Vulnerability Metrics and Reporting https://health-isac.org/vulnerability-metrics-and-reporting/

 

Survey Results

2024 Annual Member Satisfaction Survey Results https://health-isac.org/2024-annual-member-satisfaction-survey-results/

 

Medical Device Blog

Leveraging ISO 81001-5-1 Amid Medical Device Procurement https://health-isac.org/leveraging-iso-81001-5-1-amid-medical-device-procurement/

Cyber Incident Response: Playbook for Medical Product Makers

November 15, 2024 | Health-ISAC, In The News

New HSCC Publication Aims to Help Device, Drug Makers Improve Cyber Response

Read the full article in Healthcare Infosecurity here:

Click Here

 

Article excerpt:

Medical product manufacturers often face the same cyber incident response challenges as their peers in other industries, such as constraints in skills and technologies, said Phil Englert, vice president of medical device security at the Health Information Sharing and Analysis Center (Health-ISAC), and a contributor to the HSCC playbook.

But manufacturing processes to ensure medical products perform as intended are essential to protecting public health and may require reporting to other government agencies such as the Department of Health and Human Services or the Cybersecurity Infrastructure and Security Agency, he told Information Security Media Group.

For instance, “under section 506J of the Federal Food, Drug, and Cosmetics Act, during or in advance of a public health emergency, manufacturers of certain medical devices must notify the FDA of an interruption or permanent discontinuance in manufacturing,” he said.

“In addition to framing the incident severity assessment in terms of business impact, national security, or civil liberties, the guidance also impacts public health or safety in the incident response planning,” he said.

“Additionally, the guidelines infuse regulatory considerations into the cyber incident response team process, including reporting suspected or confirmed incidents to Health-ISAC and other information-sharing and analysis organizations.”

This site is registered on Toolset.com as a development site.