Information Security in MedTech sector
Healthcare provider organisations, pharmaceutical companies, Med Tech and medical device manufacturers all must take critical security steps to avoid becoming victims of data breaches. Medical device manufacturers and healthcare organisations need to implement safeguards to reduce the risk of failure or misuse in the event of a cyber-attack.
The medical device and healthcare market has taken a huge leap forward in the last few years and the balance between getting a product to market quickly and competitively and doing it safely and securely is fine.
The NCSC, the NCCIC, FDA, MHRA and NHS X are consistently releasing intelligence on cyber-attacks, many of them stated funded.
Software as a Medical Device (SaMD) is fast becoming the new normal. Instead of the old non-networked devices we now have applications on smartphones that are connected continuously and accessible.
Along with the changes in regulations around medical and healthcare products, there are many cybersecurity challenges arising from the merging of technology, hyper-connectivity and recent developments in regulation.
Information and Cyber Security around the processing of health data has always been a concern but as the amount of data and the speed of connectivity both increase exponentially the risks and impacts increase dramatically.
MedTech Information Security Consultancy
Robust governance, Risk identification, Risk management and Compliance capabilities are essential to navigate the challenges of an increasingly complex and competitive space that requires organisations to maintain regulatory compliance, improve overall efficiency and effectiveness, and deliver a high-quality and safe patient care experience.
Aston Information Security has been consulting in the healthcare, med tech, digital health, medical device and big pharma arenas since 2001 and has worked in the health regulation fields of the UK, EU, USA, Europe, Dubai, Abu Dhabi, and China.
Where the information and cyber security standards like the NHS Data Security and Protection toolkit (DSPT), ISO 27001 ISMS, HIPAA, FDA Chapter 11, MRD, MHRA and EU standards require integration with other standards e.g. ISO 13485 and ISO 9001, our experience is second to none.
Medical device and healthcare risk management implements a process for evaluating the cybersecurity risk to the clinical performance by considering:
- the exploitability of the cyber security vulnerability; and
- the severity of the health impact to patients if the vulnerability were to be exploited.
The worst-case scenarios drive the cyber-protection level of the device. Therefore, all malicious attack scenarios are gathered and compared to human-error ’misconfiguration’ scenarios.
It can be considered that security risk assessments should no longer focus on the information as the primary asset to be defended, but explicitly consider the health care outcomes, systems and processes for which that information is used. A balance needs to be achieved with safety and security, and privacy along with Safety and Resilience attributes.
Our MedTech Information Security Services
The traditional information and cyber security approach of Confidentiality, Integrity and Availability for medical devices and healthcare it is also necessary to consider the Safety, Reliability and Availability of the processes, devices and connected systems. Assessments of any safety functions and the consequences and impacts of malfunction to people, equipment and environment, cognisant of the legal onus upon the manufacturers, integrators, IT suppliers and healthcare organisations throughout the systems lifecycle.
Based on our medical device cyber security compliance experience our cyber security assessment protocol consists of the following activities:
- Assess risk
- Review and recommend entry points to systems
- Audit existing controls
- Assess and assist with the Traceability Matrix
- Collaborate on writing bespoke policies, and procedures
- Assess and assist with architecture cybersecurity
Where required, we can assist in the meetings with various international health regulators to address their questions and provide assurances on the security of our clients’ medical devices and applications.
We provide an unrivalled service is conducting audits, gap assessments, implementing and managing against:-
- NHS DSPT
- ISO 27001, and integrating with ISO 13485 and ISO 14971
- ISO 27002, ISO 27799 Health Informatics and ISO 27701 Personally Identifiable Information (PII) control selection and implementation
- Suppliers/Vendor cyber security Supply chain audits and monitoring
- HIPAA
- FDA Part 11
- Medical Device Regulation/Directive (MDR) and MHRA regulations
- NIS Regulation/NIS Directive
- NIST (880-53, 800-171)
We provide a road map to assist in complying and certifying, where required, against the standards.
Benefits of MedTech information security audits
- Understanding the connected device environment and network infrastructure
- Ability to build a bigger better business knowing the foundations of security are in place
- Planning for or implementing security measures
- Robust Third Party/Vendor Management to protect against their vulnerabilities
If you have an information security question or would like to hear from one of our consultants, please call us now