October 22, 2024
By Akkshaj Singh, RTI and Felix Adusei and Om Mahida, Medcrypt
In today’s rapidly evolving healthcare landscape, the integration of modern medical devices with advanced connectivity features and artificial intelligence (AI) capabilities has become essential. However, this interconnectedness introduces new risks and vulnerabilities, making medical devices prime targets for cyberattacks. The consequences of such attacks extend beyond immediate patient safety concerns, posing significant business risks that include regulatory non-compliance, reputational damage, and potential legal liabilities.
In 2023, the PATCH Act amended the Food, Drug & Cosmetic Act (FD&C), granting the FDA explicit legal authority to enforce cybersecurity requirements for medical devices. In October 2023, the FDA began actively enforcing new cybersecurity regulations, issuing Additional Information Needed Notices (AINN) to Medical Device Manufacturers (MDMs) failing to meet required security standards.
There are an average of fifteen cybersecurity-related concerns per letter in deficiency letters addressing cybersecurity issues, as reported by the FDA. This high number indicates that many manufacturers are struggling to meet the FDA’s cybersecurity requirements across multiple aspects of their device development and security implementation processes.
The FDA’s guidelines emphasize the importance of a security architecture that incorporates cybersecurity risks and controls throughout the device’s lifecycle.
Medcrypt’s Guardian works side-by-side with RTI Connext’s Security Extensions to provide a comprehensive solution (Figure 1). This integrated solution ensures that medical device manufacturers can effectively secure their devices and meet FDA requirements, potentially avoiding the numerous deficiencies that many are currently facing. With this integrated approach, you can:
By leveraging the combined expertise of Medcrypt and RTI, medical device manufacturers can navigate the complex landscape of cybersecurity regulations, mitigate business risks, and focus on what they do best: innovating to improve patient care. Our solution is designed to help you address potential deficiencies before they become issues, streamlining your path to FDA approval and as well as global market access.
The Medcrypt device security suite consists of Medcrypt Guardian’s library and cloud infrastructure. The combination of these two facilitate scalable device provisioning workflows and Public Key Infrastructure (PKI) operations. Together, they play an important role in establishing a device’s cryptographic identity to enable trust, authentication, data security, and secure communication between devices and any other system that is either connected or disconnected from the network.
Guardian has a software library which offers an easy-to-use API for asymmetric key generation and identity provisioning. The library achieves this by parsing a secure configuration profile and subsequently producing a request for certificates to be generated by the cloud component of Guardian.
Once the request has been processed by the cloud infrastructure, the certificates generated are returned back to the device where they, along with the previously generated keys, can be used for cryptographic functions such as signing and encrypting data for device authentication and transport security. The Guardian Library is designed with portability, flexibility, and modularity at its core. Bindings are available for several languages including C++, C, C#, and Java. In some cases, custom bindings can be developed for customers after consultation.
Medcrypt’s cloud-based platform can service requests directly from devices, enrolling them into the appropriate trust hierarchies and generating device certificates. The configuration-driven Provisioning Workflow System (PWS) allows medical device manufacturers to comply with industry best practices concerning PKI and zero-trust, without the concern of managing a complicated and costly backend infrastructure.
Once a device has successfully provisioned using Guardian, it can then use its trusted keys to:
One of the key benefits of Guardian is devices can be provisioned whether they have connectivity, or are totally disconnected from the outside world, meeting the constraints often faced in the healthcare industry.
Connectivity is at the core of new data-driven technologies that are transforming surgical robotics, patient monitoring, critical care, and medical imaging. The world’s leading MedTech companies rely on RTI for secure, reliable, and real-time data sharing across their distributed applications, devices and networks.
RTI Connext® provides a standards-based, proven software connectivity framework for securing communication interfaces, independent of network location or transport. It enables zero-trust security for data in motion to support next-generation surgical and integrated digital healthcare solutions.
RTI Connext Security Extensions enable “least privilege” access to data in motion, independent of transport or network location. Because the communication framework is “data-aware” by design, data is only shared on a need-to-know basis with authorized applications. This data-centric, decentralized architecture requires no central brokers and provides data isolation-enabling features for flexible, secure and reliable architecture.
Connext enables fine-grained configurability of security controls to be applied to data in motion. Built-in control plug-ins include authentication, cryptography, access control, data tagging and security logging to create a “zero trust” environment. “Deny-by-default” permissions may be established based on the data and use case, and optimized for system performance across internal and external communication interfaces (Figure 2).
The need for this level of control is essential to incorporate cybersecurity considerations for complex data sharing across interfaces and interoperable functionality. This capability is specifically called out in the latest FDA premarket guidance. Connext simplifies the configuration of advanced security controls and enables resilient and scalable security architectures as product features and integration requirements evolve.
RTI Connext Security Extensions are able to take advantage of keys and certificates provisioned by Guardian in order to protect data in transit, either between devices or between separate applications running on the same device. The Connext framework goes beyond basic authentication and encryption to provide highly configurable access control and built-in logging to most security information and event management (SIEM) platforms.
Ensuring the cybersecurity of modern medical devices is a complex but critical task that demands a proactive, security-first approach. The latest FDA guidelines provide a structured framework for manufacturers, offering a clear path forward. However, implementing these standards requires more than just compliance; it requires a deep understanding of both the technology and the evolving threat landscape. By integrating robust security measures throughout the design, development, and lifecycle of medical devices, companies can not only meet regulatory requirements but also safeguard patient safety and data in an increasingly connected world. Medcrypt and RTI offer a proven, integrated solution to streamline and fortify security to meet these requirements, ensuring comprehensive medical device security across product lifecycles.
Address cybersecurity deficiencies before they become an issue. Visit Medcrypt’s Guardian page to learn more and start a demo.
To learn more about RTI, visit our healthcare page, or download a trial version to Connext.
December 13, 2024
December 4, 2024
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information