Medical Device Cybersecurity for Engineers and Manufacturers, Second Edition

Medical Device Cybersecurity for Engineers and Manufacturers, Second Edition removes the mystery from cybersecurity engineering and regulatory processes and practices, showing medical device manufacturers how to produce and maintain devices that meet evolving regulatory expectations and reduce business and patient exposure to cybersecurity risks. It represents a complete guide for medical device manufacturers seeking to implement lifecycle processes that secure their premarket and postmarket activities.

This step-by-step guide educates manufacturers about the implementation of security best practices in accordance with industry standards and expectations, advising the reader about everything from high-level concepts to real-world solutions and tools. It focuses on the security aspects of every lifecycle of the product, including concept, design, implementation, supply chain, manufacturing, postmarket, maintenance, and end of life. It details the practices, processes, and outputs necessary to create a secure medical device capable of gaining regulatory approval and meeting market entry requirements.

Reflecting rapid industry developments, regulatory changes, and technology advances, this new edition equips manufacturers with the knowledge to produce secure products that meet regulatory and market requirements while anticipating threats from sophisticated cyber adversaries. It's an indispensable resource for a wide range of professionals involved in medical device manufacturing, including engineering management, software/firmware engineers, business managers, regulatory professionals, contract manufacturers, FDA regulators, product/project managers, sales, marketing teams, and healthcare delivery organizations.

Foreword

1. Why Secure Medical Devices?
1.1. Why a 2nd Edition?

2. Establishing Cybersecurity Focus Within the MDM
2.1. Security Governance
2.2. Building a Security-Capable Organization
2.3. Security and Lifecycle Management – High-level Overview
2.4. Communicating Cybersecurity Needs, Costs, and Risks to Senior Leadership
2.5. Organizational Roles and Responsibilities
2.6. Regular Review of Security Maturity

3. Global Regulations and Standards
3.1. Regulatory Expectations in Major Markets
3.2. Consensus Standards
3.3. Harmonization and Alignment

4. Use Environments
4.1. Hospitals
4.2. Clinics, Doctors’ Offices, and Labs
4.3. Home Health Care
4.4. Military
4.5. Unregulated Environments

5. Supply Chain Management
5.1. Upstream Supply Chain Management
5.2 Security Criteria for Approved Supplier Lists
5.3 SBOM
5.4 Build Integrity and Attestation
5.5 Downstream Supply Chain Management
5.6 The Impact of Endemic Vulnerabilities

6. Secure Development and Production for Medical Device Manufacturers
6.1. Introduction
6.2. Secure Lifecycle Diagram Overview
6.3. Threats vs. Vulnerabilities
6.4. Securing Development Environments and Activities
6.5. Concept Phase
6.6. Planning Phase
6.7. Requirements Phase
6.8. Design Phase
6.9. Implementation Phase
6.10. Verification & Validation
6.11. Release Phase / Transfer to Production
6.12. Production

7. Documentation and Artifacts
7.1. Overview of Secure Development Deliverables
7.2 System Security Plan
7.3 Design Vulnerability Assessments
7.4 System Security Architecture
7.5. Interface Control Documents
7.6 Testing Reports
7.7 Software Bill of Materials (SBOM)
7.8 System Security Report
7.9 Labeling
7.10 Marketing and Sales Supporting Materials

8. Postmarket Vulnerability Management
8.1. Understanding FDA Expectations
8.2. Postmarket Surveillance
8.3. Updating Devices in the Field
8.4. Product Recalls
8.5. Managing End of Support (EOS) and End of Life (EOL)

9. Incident Response & Communications
9.1. Cybersecurity in Postmarket - Continuing Product Support
9.2. Incident Response
9.3. Communications
9.4. Communicating Cybersecurity Risks to Patients

10. Device Security Lifecycle for Healthcare Delivery Organizations
10.1 Pre-Procurement
10.2 Procurement
10.3 Deployment
10.4 Operations
10.5 Decommissioning
10.6 Special Scenarios

11. Aspects of IT Security in Medical Device Systems
11.1 Endpoint Security
11.2 Securing Communication Mediums
11.3 Hardware and Physical Interface Security
11.4. Hardening Common Operating Systems and Other Commercial Software
11.5. Utilizing Smart Phones and Other Off-the-Shelf or “Bring-Your-Own” Devices in Medical Device Systems
11.6. Smartphone Security
11.7. Software as a Medical Device (SaaMD)
11.8. Multifunction Products
11.9. Network Security
11.10 Chapter Conclusion: How are MDMs Making Use of These Technologies?

12. Applying Cryptography to Medical Device Systems
12.1 Overview of Cryptographic Concepts
12.2 Practical Implications and Applications of Cryptography Concepts

13. Cybersecurity Failures

14. Common Myths & Excuses

15. Appendices
15.1. Afterword to the 2nd Edition
15.2. Resources
15.3. Glossary

15.4. Index 15.5. Authors and Contributors