In medical devices, risk management is expected to be an ongoing activity, which is considered, controlled and documented across all phases in the life of a product, from the initial conception to development and testing, market authorization, post-market use, and through to end-of-life and retirement.
When cybersecurity risk is not effectively managed throughout the life of the device, it can lead to issues including a medical device failing to deliver its therapeutic benefit, a breach in the confidentiality, integrity, and availability of medical device data, or malicious unauthorized access to the medical device and the network it operates on.
The CIA triad represents the three pillars of cybersecurity: confidentiality, integrity, and availability, as follows.
Confidentiality - preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Integrity - guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity
Availability - ensuring timely and reliable access to and use of information
NIST published version 1.1 of the Cybersecurity Framework in April 2018 to provide guidance on protecting and developing resiliency for critical infrastructure and other sectors. The framework core contains five functions, listed below
Identify - develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities
Protect - develop and implement appropriate safeguards to ensure delivery of critical services
Detect - develop and implement appropriate activities to identify the occurrence of a cybersecurity event
Respond - develop and implement appropriate activities to take action regarding a detected cybersecurity incident
Recover - develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident