The cost of a data breach for healthcare organizations continues to rise; what was $380 per record in 2017 became $408 per record by the end of last year. Medical data is undoubtedly a soft target, ripe for the picking. Network-connected medical devices are a significant security vulnerability in and of itself, meaning that they contribute a great deal to the damages caused by data breaches.
“With new regulatory guidance being developed by FDA, medical devices manufacturers will need to prove that their devices are secure...” This is one of the opening lines from the paper, “A Security Argument Pattern for Medical Device Assurance Cases,” published in 2014 and co-authored by Anita Finnegan, founder of Nova Leah. Her company has realized the security framework proposed by Anita in her paper, to create their flagship product, SELECTEVIDENCE. With the first regulation by the FDA surrounding medical device cybersecurity published in 2012 and the subsequent one in 2014, the body has already started revising those regulations, which really goes to show the emphasis of how highly sensitive FDA is about medical device security in the marketplace. A cybersecurity risk management compliance solution, SELECTEVIDENCE checks every line item of the FDA pre- and post-market cybersecurity guidelines to establish an accurate rendition of the regulatory aspects of medical device cybersecurity. Nova Leah goes even further in improving the organization’s security posture by feeding a manufacturer’s software bill of materials (sBoM) into SELECTEVIDENCE, which will then continuously monitor that sBoM to identify associative vulnerabilities, to identify controls or patches if available and provide a tool for establishing the risk level. Nova Leah’s objective is to ensure that the existing software and system development teams in the medical device industry can utilize SELECTEVIDENCE and perform the work that a cybersecurity engineer would do.
SELECTEVIDENCE lends itself as an easy-to-use turnkey solution, i.e., the definitive medical device cybersecurity framework.
Nova Leah goes even further in improving the organization’s security posture by feeding a manufacturer’s software bill of materials (sBoM) into SELECTEVIDENCE, which will then continuously monitor that sBoM to identify associative vulnerabilities, to identify controls or patches if available and provide a tool for establishing the risk level
Concurrently, the product offers quite a number of customizable features that manufacturers can tweak to suit their business processes, such as in the way that they evaluate cybersecurity risks. That is, while some prefer to use a qualitative method to assess risks based on a high-low-medium classification, others may choose to adopt an approach that may be most recommended in critical infrastructural domains, known as the common vulnerability scoring system (CVSS). This is how flexible and easy it is to customize SELECTEVIDENCE. Additionally, the solution can take historical data as input, if manufacturers have done some cybersecurity risk assessments for vulnerability monitoring in the past. The application is intelligent, supported by repositories of threats, vulnerabilities and security controls, all interlinked, which makes it intelligent and intuitive. “If SELECTEVIDENCE identifies one threat, it can then see all potential vulnerabilities that could realize these threats and then a catalogue of controls that could mitigate the risk,” states Anita.
With regulations and best practices changing frequently, Nova Leah is continuously evolving SELECTEVIDENCE in line with these expectations. The FDA has now drafted the premarket cybersecurity documents, and one of the key goals for Nova Leah is to stay on top of regulation and best practices so that their customers never need to worry. The primary driver for Nova Leah is the importance of intelligence and knowledge sharing to capture data from the industry, as and when it becomes available so that it may be shared with customers.