Incorporating Privacy and Security by Design into MedTech
Medical technology is transforming healthcare, but there are concerns about privacy and security. Sensors, wearables, connected medical devices, and more make up this group of digital health technology. While technology brings with it innovation and possibilities to improve care, there are also privacy and security concerns. MedTech security and privacy have been evolving and seen their share of challenges.
To enable MedTech development to serve the entire healthcare ecosystem — patients, providers, regulators, payers, and tech companies — privacy by design and security by design must be part of the device’s design from the beginning. When alignment and balance are here, all stakeholders benefit.
Where Do Privacy and Cybersecurity Intersect?
When talking about MedTech, what makes it different from other industries is the collection and sharing of PHI (protected health information). PHI has privacy regulations in accordance with HIPAA (Health Insurance Portability and Accountability Act).
On top of HIPAA, MedTech companies are now dealing with new regulations, such as the California Consumer Privacy Act (CCPA). California enacted the law to fill gaps in data privacy. The CCPA actually extends some of HIPAA’s regulations to include more companies that deal with PHI but are outside the “covered entities” of HIPAA, such as providers of wearables.
MedTech must abide by these regulations on the privacy aspect. What brings cybersecurity to the conversation is that threat actors find PHI very attractive and seek to breach it. In a 2019 report, 82 percent of healthcare organizations using IoT (internet of things) MedTech devices were the target of a cyberattack. Hackers see these as ripe opportunities to infiltrate networks and spread malware. Beyond stealing PHI, threat actors hack medical devices to do physical harm and enemy advancement.
Cybersecurity and Privacy Have Common Goals
In looking at the tenets of cybersecurity and privacy, they have common goals:
- Not allowing access or disclosure of data to unauthorized entities or processes.
- Data, whether in transit or at rest, is only changeable in a specified, authorized manner.
The onus of these goals is on unauthorized access; however, that’s not the only threat. Authorized access to PHI can also be a source of privacy and cybersecurity concerns. Thus, users still need checks and balances.
To ensure that both privacy and security are in the DNA of MedTech, security by design and privacy by design are becoming the norm.
What Is Security by Design and Why Does It Matter?
Security by design is crucial in MedTech. It means that cybersecurity must be built into the design from the start. It can’t be an afterthought.
Security by design principles requires a thorough understanding of cybersecurity vulnerabilities associated with the device or platform. You can use several frameworks, such as the NIST Cybersecurity Framework, the Center for Internet Security’s Critical Controls (CIS), and ISO/IEC 27001 and 27002. Organizations can use these as a starting point, customizing, as necessary.
Security by design doesn’t just support cybersecurity. It also provides support for the commercialization of the product. It helps establish risk management plans, the application of standards, penetration testing, monitoring, and more.
To develop the “right” security by design, you’ll also need to consider other factors like UX (user experience), social engineering and phishing threats, touchpoints, and product lifecycle stakeholders.
What Is Privacy by Design and Why Does It Matter?
Privacy by design is being privacy-first in the development process of a device or technology. From the outset, privacy protections must be a focus. Privacy by design includes seven principles:
- Being proactive, not reactive, and preventative, not remedial: Anticipate a privacy risk and prevent privacy invasiveness.
- Privacy as a default setting: Automatically protect PHI as the default so it’s always protected during collection, use, storage, and transfer.
- Embedding privacy into the design: Privacy will be a core function when protections are part of the design.
- Full functionality; positive-sum, not zero-sum: It’s not either/or in this dynamic, such as privacy vs. security. Instead, it’s about enabling both.
- End-to-end security through the full product lifecycle: Security measures should be in place from beginning to end.
- Ensuring visibility and transparency: MedTech should operate as expected, and users should be aware of how and why it’s collecting PHI.
- Respect for user privacy and a focus on user-centricity: Keep user interests top of mind during the design of MedTech.
To achieve privacy by design, you can use the same frameworks for security by design or develop your own process that translates the principles into actionable workflows. The desired outcome will be that privacy requirements in MedTech development are fully implementable and functional and that you can proactively manage any identified privacy risk.
Cybersecurity Assessments for MedTech
When developers follow security by design and privacy by design, you should have a good foundation for the deployment and upkeep of the device. You’ll need to perform adequate testing to meet the FDA’s cybersecurity requirements. Typically, MedTech companies seek out third parties to do this.
A complete medical device cybersecurity assessment provides you with an unbiased evaluation of what vulnerabilities remain. We recommend two Assessment Evolutions, which is a test/retest model. After the first test, there’s the opportunity for remediation. The second evolution tests to ensure that remediation addressed the concern.
By partnering with our team of cybersecurity experts, you can ensure that your device is secure and private so it poses no risks for patients. Connect with us today to schedule a discovery call.