Medical Device Cybersecurity: Products Must be Both Accessible for Users and Impenetrable for Cybercriminals
Event Type
Poster Presentation
TimeThursday, April 152:00pm - 3:00pm EDT
LocationMedical and Drug Delivery Devices
DescriptionAs human factors professionals, the priority is to make products and devices more accessible to users, while in cybersecurity, the goal is effectively the opposite, or to make systems less accessible to the bad guys (who may be disguised as harmless users). This apparent contradiction takes some skill to achieve the right balance. As cybercrime has become increasingly complex, security measures meant to intercept these crimes have developed accordingly and vice versa. Medical devices from pacemakers to insulin pumps are hackable, and achieving device security while maintaining user accessibility will continue to evolve with the devices themselves.
Hospital systems and the medical products that enable them to function involve situations where seconds can be the difference between life and death on a daily basis. Designing in cybersecurity measures like complex passwords, two-factor authentication, or even biometric fingerprint authorization can add precious seconds to that process, not to mention potentially necessitating additional sterilization steps. These roadblocks further highlight the growing need for human factors evaluation of medical device cybersecurity features. The onslaught of the COVID-19 pandemic has exponentially increased the need for both connected medical devices for patient monitoring and telehealth, and cybercriminals have taken advantage of security weaknesses in order to access hospital and patient data.
This lecture would dive into the area between modeling an effective product that is simple for users yet at the same time off-limits to cybercriminals, and strategies for ensuring your human factors testing adequately assess cybersecurity aspects of a product.

Takeaway points would include:

• Cybersecurity basics,
• Measures to improve cybersecurity from a personal and organizational perspective,
• Guidance on design elements to consider for instructional materials, avenues of communication, and methods of outreach to explain cybersecurity measures and warning signs of compromised devices to end users,
• Methods to assess user comprehension of product cybersecurity features,
• What are we seeing from the FDA on the balance between HF safety and cybersecurity?

In 2019, the Department of Health and Human Services published a report cataloging solutions to reduce the risk of common cybersecurity threats for healthcare delivery organizations. Additionally, given the recent implementation of the Digital Health Center of Excellence by the FDA, new guidance is anticipated this year that will greatly expand the expectation for submissions.