Embracing Cybersecurity Risk Management in the Industry of Medical Devices

Embracing Cybersecurity Risk Management in the Industry of Medical Devices

Maria Lai-Ling Lam (AJ-Great Limited, China) and Kei Wing Wong (Calvin College, USA)
DOI: 10.4018/978-1-5225-3468-6.ch010
OnDemand PDF Download:
No Current Special Offers


The promises of Industry 4.0 in the medical device industry needs to be built on sound cybersecurity infrastructures, polices, and practices. During 2011-2017, the authors interviewed many manufacturers of medical devices in China, Germany, Israel, Japan, Taiwan, and U.S. about their attitude towards cybersecurity. Many manufacturers are not committed to cybersecurity risk management because they pursue lower cost and shorter product life cycles; do not have sufficient knowledge of operating environments of hospitals; have defensive attitude toward vulnerability disclosure; and reap quick benefits from the low-trust level among stakeholders and unequal power between manufacturers and distributors. Only a few large U.S. manufacturers of medical devices have set up robust secure platforms and interoperable optimal standards which benefit the users. As cybersecurity is a shared responsibility, many small and medium-sized enterprises need to be empowered through the support of international organizations and local government policies.
Chapter Preview


Industry 4.0, the fourth industry revolution, allows intelligent data gathering, data storage, data distribution, and real-time responses through many heterogeneous cyber-physical systems and internet of things [IoT] (General Electric, 2017; Siemens, 2016). Some promising examples of industry 4.0 in the medical device industry are robotics in health care, fitness apps, tele-medicine, smart home care, and real-time processing through data analytic and data mining. Industry 4.0 empowers but also disrupts the current manufacturing sector of medical devices. Manufacturers not only can digitally manage the entire lifecycle of products and production processes through the IoT, cyber-physical systems, powerful sensors and big-data analytics, but also predict the maintenance of their smart products (Chiu et al., 2017; Loffler & Tschiesner, 2013; Sogeti, 2017). When an operating system and an information technology system are integrated in the manufacturing process, cyber security is an on-going significant challenge in the heterogeneous environments constructed by industry 4.0 (Woodside Capital Partners, 2017). The manufacturers must comprehend the complexity of managing cybersecurity of diverse devices and systems when new medical devices are added to the existing system of health care providers. They are called to design their new devices with the in-depth knowledge of the users’ operation system and be open to any vulnerability report from the community (Food and Drug Administration [FDA], 2016; Fu, 2014; National Institute of Standards and Technology [NIST], 2017; Schwartz, 2016).

The promise of industry 4.0 in the medical device industry needs to be built on sound cybersecurity infrastructures, policies, and practices. Manufacturers must know how to design and implement a secure embedded system that typically must provide multiple functions, security features, and real-time guarantees at a minimum cost (Sadeghi et al., 2015). When they want to realize the benefits of industry 4.0, they must assure the cybersecurity of their own systems and also the systems that support the health care providers and other stakeholders. These manufacturers must monitor the performance of their smart products in the hand of health care providers and are willing to take predictive maintenance and the assessment of the vulnerability of the devices when they are installed in the system of health care providers (Kobes, 2014; Schwartz, 2016). Unfortunately, cyber security is not treated as the first priority in the design process of many manufacturers of medical devices (Cooper, 2016). The practice of industry 4.0 in the entire medical device industry also challenges our existing social and legal systems (Doehmann, 2016). Its impact may become greater in our existing embedded health care systems and networks which are not equipped with updated software.

Complete Chapter List

Search this Book: