International – Demonstrating medical device cyber risk management to regulators and clients

“My medical device doesn’t have network or wireless connectivity, so cybersecurity regulatory requirements don’t apply, correct?” We get this question quite often during initial conversations with medical device manufacturers. The short answer is, that assumption isn’t all that accurate.

During discussions we often discover that the device in question has exposed USB or ethernet ports that oftentimes aren’t disabled and furthermore don’t require data to be encrypted. Sometimes we find that there is a CAN bus as part of the device’s command and control communications. Typically, the answer is that the main risk control that has been deployed is that the device sits in an access-controlled room.

Often, we follow this exchange with a simple question: “What if an attacker were able to gain access to your device, what could they potentially do?” We ask that question because we know that the spirit of the regulatory guidance documents that have come out over the last few years focuses on shared responsibility, so simply saying that a device isn’t network-connected or sits behind an access-controlled room does not adequately address the potential cyber risk of a device. An attacker could…