Date: 1 25 2018 By Geoff Hutchins, Harold Pogue, Mohammad Raza
Understanding Cybersecurity Risk
Like other risk management perspectives, business and product, addressing cybersecurity needs to be considered throughout the development process.
A key part of this is understanding the types and classification of the cybersecurity risk as a framework for assessment and development of control measures.
There are several viewpoints that should be considered when setting this up as follows:
- Classification of the nature of the risk, malware, riskware, spyware etc.
- Product lifecycle stage, premarket, post-market and legacy device
- Risk introduced using OTS & SOUP libraries
- Product intended use, use environment, and hazard profile, life-sustaining, diagnostic, hospital or home
- Classification by core functions, Identify, Protect, Detect, Respond and Recover
- Classification by means of access, network connected, wirelessly, USB and medium such as CD
There are several existing frameworks that a manufacturer may consider using:
- NIST Cybersecurity 
- Common Vulnerability Scoring System (CVSS)4
- AAMI TIR57 Principles for medical device security – Risk Management
- UL 2900 Testability of network connected devices.
Cybersecurity Risk Management Process
The cyber risk management should be considered as part of the product lifecycle management:
- Conduct product requirements cyber risk analysis and assessments.
- Evaluate code, library and tool vulnerabilities and validations.
- Plan and execute penetration testing on product configurations.
- Document testing and re-evaluation plans for new threats
- Plan for the deployment of updates and associated cybersecurity risks deploy cyber risk.
Some essential ways to mitigate risk include the following:
- Require the user to update the default password of the device. Default passwords, especially for networked devices, are well known and can be exploited. Use longer passwords with a strong measurement of randomness.
- When designing the device avoid using WEB/PSK/TKIP. These are no longer considered secure and have been depreciated. They share the same key and if that key is compromised, all devices in the network that communicates with that key are vulnerable.
- Ensure that all data at rest is encrypted. It is also good practice to create backups prior to any change and to ensure the device user on how to recover the backup. If data is stolen the encryption should maintain privacy.
- For software as a medical device, it is necessary to designate a patch management facility/process. Patches are common but can sometimes cause problems. Having a process in place that verifies that the patch works on the equipment before wide-scale deployment will minimize risk.
- Have a periodic device verification plan and perform regular audits.
- Perform security tests and provide these to the end user. These tests should include encryption, authentication, patches to the software, and version of virus protection.
 Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff, October 2, 2014
 IEC TR 80001-2-2 Edition 1.0 2012-07 Application of risk management for IT Networks incorporating medical devices.
 Guidance for Industry, Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software, January 14, 2005.
 Postmarket Management of Cybersecurity in Medical Devices – Final Guidance, FDA presentation January 12, 2017, CDRH Webinar