Cybersecurity is an essential consideration for pharma companies creating digital health solutions and connected devices because these solutions store and process vast amounts of sensitive and valuable information, including personal health records and medical data.
Robust cybersecurity measures are required to establish and retain trust with patients, their families, care teams, and regulators. Patients' personal information, medical history, and other sensitive data needs to remain confidential and not exposed to unauthorized individuals or entities. Breaches in patient privacy can have severe consequences, such as compromising patient safety or the safe performance of a device, financial losses due to payment demands or fines, and reputational damage to the pharma company.
Cybersecurity is wide-ranging and complex. It’s not something that you do once and is finished, it’s a cycle that spans the entire lifetime of a product. This is a considerable undertaking for pharma to manage and usually requires skillsets or resources they do not have internally. In this latest article in our Affinial learning series, we look at how Affinial can help pharma manage its cybersecurity requirements by ensuring that solutions are not only built but also operated and maintained in accordance with evolving regulatory and cybersecurity requirements.
Pharma need to navigate stricter cybersecurity regulations
Stricter regulation and diversifying threats require that pharma must mitigate cybersecurity risks. Section 524B of the FD&C Act mandates that the sponsor (manufacturer) must submit a plan to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits. The plan must include coordinated vulnerability disclosure and related procedures. The sponsor must also design, develop, and maintain processes and procedures to ensure that the device and related systems are cybersecure. Sponsors must also make regular post-market updates and patches available to the device and related systems to address known vulnerabilities.
The EU is also mandating increased levels of cybersecurity. Their new Directive (EU) 2022/2555 on the Security of Network and Information Systems (“NIS2”), places increased demands on internal cybersecurity risk management. It states that the manufacturer must have security measures in place that reduce the consequences and risks of cybersecurity incidents, and a plan for how it will ensure business continuity if the company is hit by a cyberattack.
To comply with these regulations, pharma need to ensure they account for cybersecurity at every stage of the design, development, and verification process, and a digital health platform like Affinial can play a huge role in helping to do this.
Affinial enhances data security with single sign on and federated user management
Controlling who has access to patient data and information, and what level of access is a key aspect of cybersecurity. Affinial’s single sign on and federated user management services help control this access by allowing pharma, hospitals, clinics or PSP services to use their own LDAP databases to control which people in their organizations have specific roles with associated privileges to access relevant digital health solution interfaces and data in a frictionless manner. This means when somebody starts, changes, or leaves a role, their privileges only need to be updated in the organization’s database and not additionally in the digital health solution. This helps to ensure appropriate role-based, up-to-date access is assured.
This federated user management service also helps pharma companies looking to scale their digital health solutions, providing the capability to interface with 3rd party systems to fit into clinical and organization workflow.
Affinial is now developed to the latest standard IEC 81001-5-1:2022 to offer a comprehensive approach to cybersecurity
From a regulatory perspective, Affinial is now implemented to the latest standard IEC 81001-5-1:2022 “Health software and IT systems safety, effectiveness and security; Activities in the product lifecycle”. In line with this standard, we treat software development as a risk management activity, where cybersecurity is included at each stage of the Affinial development process. This means we have fed it into the Affinial architecture and requirements, through to verification, operation, and maintenance.
The IEC 81001-5-1:2022 standard supplements ISO 14971 and advances the way cybersecurity threats are assessed. In the not-so-distant past, cybersecurity threats were assessed based on probability, but in practice assessing probabilities was very subjective and largely guesswork. This standard enables cyber risks to be assessed based on the risk of exploit of identified vulnerabilities. This is much more practical because it’s about considering if an attack can actually occur, rather than trying to predict the hypothetical chances of an attack. The advantages of this approach include:
- a more objective and reliable assessment of the cyber risk status
- it ratchets up security over time, continuously eliminating threats as they arise
As we see the US FDA asking for the Common Vulnerability Scoring System (CVSS) described by the IEC 81001-5-1:2022 standard to be applied in all of our recent US device submissions, Affinial has been designed, developed, and maintained fully in accordance with exploit assessment.
This standard defines:
- Quality management implications of cybersecurity
- Security risk management
- Software development process and how cyber security is handled from software development planning, through to software requirements, architecture design, software design, verification, testing, and release
- Software maintenance process
- Security risk management
So let's take a look at how Affinial addresses each of these requirements.
- Quality Management
Affinial, and solutions built on Affinial, are developed in accordance with S3 Connected Health’s ISO 13485 certified QMS, which fully implements IEC 62304, IEC 81001-5-1 and FDA and EU cybersecurity guidance so that pharma does not need to develop or invest in their own software as a medical device (SaMD) QMS.
- Security Risk Management
A comprehensive threat model that identifies all possible attacks is created. Threats are first categorized using the STRIDE methodology (which assesses potential attacks across six dimensions: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). We then go further to model more complex potential attacks based on Attack Trees to identify less obvious exploits that could be performed with a multi-step attack.
- Software Development Process
Affinial has a comprehensive software bill of materials (SBOM) that lists all software components and their versions within the platform. This identifies all SOUP and COTS software and their versions. Automated scanning tools are built into the software build process to enable 3rd party organizations to validate that the SBOM is correct.
- Software Maintenance Process
The SBOM is then used to monitor emerging threats against the Affinial software stack. The software stack is scanned for new vulnerabilities and exploits that are then remediated. Emergencies like Day Zero exploits are also addressed.
- Security Risk Management
All issues identified go through a risk assessment based on AAMI-TIR57:2016(r2019) (Principles for Medical Device Security Risk Management) to determine its criticality from both a patient safety and cybersecurity perspective, critical issues affecting patient safety are addressed within the FDA response timeline. This standard is powerful because it provides a standard way for ISO 14971 and CyberSecurity risks to be assessed in order to find the overlap areas that impact patient safety.
Cybersecurity is a cyclical process that needs to be repeated frequently throughout a product’s life cycle, particularly when new features are added. Digital health solutions built on Affinial benefit from the platform continuously monitoring for cyber-security threats and regularly deploying post-market updates to address identified vulnerabilities reducing the burden on pharma companies ensure they are responding to ever-evolving security risks.
In this learning series on Affinial, we are taking a deeper look at several features of our platform, including:
- How Affinial provides the building blocks for customized digital health solutions
- The Return on Investment (ROI) for pharma of using Affinial to create digital health solutions
- The role Affinial plays in improving patient and clinician engagement
- Developing Affinial's behavior engine: The role of dynamic nudges in therapy adherence
If you would like to learn more about how Affinial helps pharma companies manage the cybersecurity requirements for their digital health solutions, get in touch with us, or request a demo of the platform with one of our digital health experts
