Cybersecurity for medical devices

Cybersecurity for medical devices

Active medical devices such as pacemakers, drug delivery pumps, lung ventilators and dialysis machines are increasingly connected to the Internet, healthcare organisations’ networks, and other devices to enhance their functionality and the ability of healthcare providers to treat patients. Increasingly, active medical devices can be controlled via a mobile phone and data can be transmitted remotely to the treating physician. More recently, rapid advances in computing technology and software production have led to an explosion of medical apps or software as medical device (SaMD).

Connectivity of medical devices to the Internet and networks facilitates information sharing and treatment delivery, but it also exposes medical devices to the risk of potential cybersecurity threats. Although threats and vulnerabilities cannot be eliminated, they can be reduced and managed by implementing good cybersecurity practices.

The responsibility for implementing and maintaining good cybersecurity practices falls upon all stakeholders involved with the design and use of medical technology. While supplying compliant medical devices is the responsibility of manufacturers and sponsors, compliant medical devices will only be as secure as the weakest link in the environment in which they operate. Healthcare organisations and end users also have a responsibility for providing and maintaining a cyber-secure environment for active medical devices to operate in. MTAA is collaborating with the TGA and CSIRO in defining and implementing cybersecurity best practices for medical devices. The MTAA submission to the 2018 TGA consultation on cybersecurity can be accessed here.

Useful links:

TGA & CSIRO - Research: Software as a Medical Device and Cyber Security for Medical Devices

Australian Cyber Security Growth Network - AustCyber

U.S. FDA - Cybersecurity

European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry (COCIR) - Advancing cybersecurity of health and digital technologies, March 2019

International Medical Device Regulators Forum (IMDRF) - Work item: Medical Device Cybersecurity Guide