TGA draft guidance calls for heightened cybersecurity for medical devices in Australia
The cybersecurity implications of medical devices have come under scrutiny, as the digitisation of healthcare reaches a wider net of professional, personal and public environments.
In the bid to consider and plan for an evolving cybersecurity landscape to maintain patient safety, the Therapeutic Goods Administration (TGA) has released a draft regulation guidance on cybersecurity for medical devices, in line with the existing regulatory requirements.
The Medical Device Cybersecurity Draft Guidance and Information for Consultation report calls for a clear regulatory environment for connected medical devices and identifies strategies to influence the approaches of those who use medical devices.
“Connectivity and digitisation of medical device technologies may help improve or increase device functionality. However, the connection of devices to networks or the internet exposes devices to increased cyber vulnerabilities that can potentially lead to unacceptable risk of harm to patients,” the report identified.
“These include denial of service or intended therapy, alteration of personal health data or alteration of device function so that it can cause actual patient harm.
“In 2016, the Australian Government released Australia’s Cyber Security Strategy, detailing priority actions to improve Australia’s general cyber security posture, alongside supporting the growth of the local cyber security industry… In line with this, the continued safety, quality and performance of medical devices impacted by cyber-related issues is the responsibility of the TGA.”
According to the TGA, operating environments are highly variable and cybersecurity risks are dependent on the knowledge, expertise and approach of the users of medical devices.
“A compliant medical device will only be as secure as the most vulnerable aspect of the system it is expected to operate in. Users of medical devices also have share responsibility for providing a cyber- secure environment for these devices to operate in,” the report stated.
What is necessary?
Key to the implementation of medical devices, according to the report, is the development of a “clear and well documented” risk assessment and business continuity strategy, where the goal is to develop an environment where risk to patients is minimised.
It includes an injunction for device manufacturers and users to develop a cybersecurity strategic plan, which includes a cyber-specific risk assessment and response strategies.
“The plan should have clearly defined event response procedures that define the responsibilities of each department in the event of an incident, and emphasise the importance of each area being familiar with these procedures,” it said.
“The strategy will need to be revised as new types and classes of connected medical devices are added to the healthcare environment.”
Cross-functional collaboration is a tool that the report claimed is essential for effective cybersecurity control of medical devices.
The TGA said healthcare service providers should aim to facilitate an environment which drives cross functional collaboration between the biomedical, clinical support and IT teams, helping all areas develop a better understanding of the work completed within each team.
“The biomedical team should… engage with medical professionals within the healthcare organisation to help broaden their understanding of the operating profile of their devices, the technology under their management, implementation of cyber security controls and the associated risk,” it said.
Collaborative procurement is another area for improvement as updating procurement practices to ensure the purchase of appropriately secure devices will create greater demand for improved cybersecurity within medical devices, the report identified.
“[One way is to] incentivise procurement teams to work with IT and biomedical teams on the procurement of new medical devices to help ensure that cybersecurity is a measurable factor in procurement.”
The report also suggested that organisations develop an inventory and risk profile of the current state of connected medical devices, providing insight to vulnerabilities in the operating environment.
This inventory could include information such as the operation and purpose of a medical device, its secondary uses, who the primary users are, expected life-span of the device, support agreements in place and support for critical components.
The report also called for more general training for all staff within organisations to raise baseline security awareness and skills.
“Many professionals in the health and medical sector have received little training on cybersecurity. [Organisations need to] actively work to create a culture of cyber security awareness, vigilance and reporting, and regularly communicate potential cyber security issues,” it said.
Segmenting the corporate network from the biomedical network could also help improve cybersecurity attacks.
“Ideally, this should be done with an internal firewall. This will significantly reduce the risk of malware spreading from one network to another.
Medical devices should be segmented into logical groups (manufacturer or modality) to reduce the attack surface. When possible, medical devices should be isolated,” the report said.
In addition, it recommended that healthcare organisations consider implementing multi-factor authentication for staff access to networks, especially in areas of high traffic, and reduce privileges to only those required.
“Access to the network is critical for most medical devices, especially with an Electronic Medical Record (EMR) system. Ensuring that only authenticated access is provided is key but when credentials are compromised, it can be challenging to define authenticated but unauthorised access.
“So, regular reviews of network access should be completed. These must be managed to ensure usability of systems is not adversely impacted.”
The report also said that more focus should be given to securing medical devices themselves, instead of just to ICT equipments.
“Monitoring the internal and external environment for medical device abnormalities and cyber security threats is important to building a stronger cyber security posture. One advantage of monitoring medical devices is that their range of normal operation is narrow. This means that anomalies can be easier to spot in medical devices than ICT equipment,” it identified.
The TGA has invited industry, peak bodies, professional and consumer groups, and individuals to provide comment on the draft guidance. Submissions for comment close on 14 February and will be used to help inform the final guidance document.