Continuously growing elements of the Industry 4.0 are the bits and bytes, or data. With platforms like Internet of Things and Cloud, on average, an individual is producing 1.70 megabytes of data every second.1 With such massive dataflows which also includes private and critical data, network plus data security becomes one of the key layers in any application or device architecture. This layer constitutes the platform of Cybersecurity and is vital when used in the medical and health industries.
To benchmark the implemented levels of Cybersecurity in a system, the FDA approved a novel rubric developed by MITRE Corp. for measuring the implemented Cybersecurity levels in medical devices. This rubric is used in conjunction with the Common Vulnerability Scoring System or CVSS version 3.0, which is an open and free industry standard for detecting and prioritizing risks or data vulnerabilities. The CVSS was developed specifically for Information Systems and did not provide or address the environmental details in which medical devices are built. The accepted rubric mitigates this issue, resulting in CVSS able to be utilized for medical devices as the environment in which these devices are built becomes a part of the hazard analysis or risk assessment.2
FDA’s accepted novel rubric includes customized questions that are recorded by analysts, along with Subject Matter Experts (SMEs), at several decision points. These decision points resemble questions which are placed in a Decision flowchart. These flowcharts offer a logical flow of all device actions and functions. Indeed, there may be a case where a question has multiple answers. In such cases, the rubric guides you to select the worst-case answer. Each answer is mapped to a score which is given by the rubric along with CSSV scores. The major target of all these questions and answers is to keep following the root cause, which may be the actual vulnerability and an open point for multiple cyber-attacks. Each vulnerability should be treated as an individual element, and utilizing the rubric along with the CVSS 3.0 produces a score that indicates the level of threat to the device for each element. In cases where the rubric does not assist with assigning a score, the CSSV 3.0 table can be referred to for guidance on scoring.3
Even though the rubric provides a way to label and prioritize system vulnerabilities, users can proactively take some actions to avoid data breaches and unauthorized user access. For example, while selecting the technology stack, the latest tech-stacks should be selected as older versions may not even recognize new malware and ransomware. Current Cybersecurity frameworks that are accepted by the FDA should be utilized while adding medical device security measures. Moreover, users including patients, healthcare personnel, and manufacturers should be trained to avoid unauthorized access to users outside the system. Lastly, the implemented tool may itself be a software, and therefore when running in a medical setting should be FDA compliant, meaning the software has been sufficiently tested, documented, captures all potential hazards, and most significantly, meets all FDA regulatory guidelines.
To summarize, Cybersecurity is critical while designing, developing, and deploying medial applications and devices. Also, current tools such as the FDA accepted novel rubric with CSSV3 should be utilized to prioritize vulnerabilities. Do you have a Cybersecurity based medical device that needs FDA approval? Our regulatory experts at EMMA International can help ensure your system is FDA compliant. Contact us at 248-987-4497 or email@example.com for additional information.
1Jacquelyn Bulao (September 2020. How Much Data Is Created Every Day in 2020? Retrieved on October 25th, 2020 from https://techjury.net/blog/how-much-data-is-created-every-day/#gref.
2FDA (October 22nd, 2020). Cybersecurity. Retrieved on October 27th, 2020 from https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.
3Steve Christey Colley, Penny Chase (October 27, 2020) Rubric for Applying CVSS to Medical Devices. Retrieved on October 28th, 2020 from https://www.mitre.org/sites/default/files/publications/pr-18-2208-rubric-for-applying-cvss-to-medical-devices.pdf