Executive Summary

Connected medical device vulnerabilities continue to proliferate at an alarming rate. Hospital networks are consistently under attack posing a
significant threat to patient safety, and medical device manufacturers arestruggling to implement cybersecurity risk management requirements using
proven standardized and collaborative risk management frameworks.

On the regulatory side, conducting a cybersecurity risk assessment is now a mandatory requirement for all connected medical devices. In 2014, FDA
issued guidance for premarket cybersecurity risk management which was quickly followed by a subsequent guidance outlining recommendations for
postmarket cybersecurity risk management. This regulatory document sets out expectations for manufacturers to consider cybersecurity throughout
the entire lifecycle of a device by developing “a structured and comprehensive program to manage cybersecurity risks” even after their products have
been sold.

In this article we explore the biggest challenges facing the medical device industry with regards to cybersecurity and the benefits of implementing an
expert medical device risk assessment software solution such as SelectEvidence® from Nova Leah.

Biggest Challenges Facing the Medical Device Industry with Regards to Cybersecurity

A 2017 Deloitte & Touche LLP poll indicated more than one-third of surveyed professionals in the Internet of Things-connected medical device
ecosystem say their organizations have experienced a cybersecurity incident in the past year. This figure is sure to rise, and will result in significant
impacts to product development resourcing and costs, patient safety and trust, recalls, and potential regulatory fines.

Further polling by Deloitte exposed the following as top challenges to be addressed…


Figure 1: Key medical cybersecurity challenges – Source: 2017 Deloitte Development LLC, Medical Devices and the Internet of Things: A three-layer defense against cyber threats

SelecEvidence® the Expert Cybersecurity Risk Management Solution for Medical Device Industry

The experts at Nova Leah have developed SelectEvidence® to address
these very challenges. SelectEvidence® is a turnkey collaborative cybersecurity expert system
that supports medical device manufacturers in designing, verifying and
certifying connected medical devices to meet these FDA guidelines and
industry security standards. It also assists healthcare providers in the
selection, acquisition and risk management of medical devices on their healthcare networks.SelectEvidence® allows stakeholders to identify cybersecurity
requirements for their devices using proven standards within a
collaborative framework. SelectEvidence® is supported by state of the
art repositories and machine learning capabilities which inform each
step of the risk management process providing full traceability from
risk identification to treatment.SelectEvidence® facilitates and informs all premarket and postmarket
risk management activities. With the functionality to import a Software
Bill of Materials (sBoM), SelectEvidence® continuously surveys for
newly identified vulnerabilities alerting users to these findings and
suggested mitigations. The system is a cradle to grave solution,
managing cybersecurity processes from product development, market
approval, integration, use, to product retirement.SelectEvidence® can be deployed as a standalone cybersecurity expert
system for an individual stakeholder or can be used as a collaborative
solution for managing risk and information sharing between both
manufacturers and healthcare providers.
SelectEvidence® not only assists medical device manufacturers to fully
comply with FDA
recommendations it also:
Accelerates medical device design, development and validation
Addresses the scarcity of security professional resources
challenging many device manufacturers
Automatically generates MDS2 forms
Breaks down knowledge barriers between manufacturers and
healthcare providers, improving the security of a device over its
lifetime
Produces documentary evidence of compliance to regulators,
auditors and customers
Reduces costs associated with postmarket surveillance,
coordinated vulnerability disclosure and reporting
Reduces the likelihood of product recalls due to cybersecurity
vulnerabilities
Reduces the time spent uncovering vulnerabilities and selecting
the appropriate mitigating controls to support a device in
operation
Reduces time-to-market for new 510k and PMA submissions