Cybersecurity Risk Management as Shared Responsibility among Stakeholders in the Medical Devices Industry

Contributed Talk | Day 3 | 9:20 am | 40 Minute Duration | Grand Gallery D

Cybersecurity Risk Management as Shared Responsibility among Stakeholders in the Medical Devices Industry

Contributed Talk | Day 3 | 9:20 am | 40 Minute Duration | Grand Gallery D

The promise of big data in the medical device industry needs to be built on sound cybersecurity infrastructures, policies, and practices. Cybersecurity risk management is regarded as shared responsibility among stakeholders, including manufacturers, users, information technology vendors, and health care delivery organizations. Manufacturers are expected to have industryself-regulations which monitor the cybersecurity of the entire smart product life-cycle process Manufacturers must assure the cybersecurity of their own systems and also the systems that support the health care providers and other stakeholders. These manufacturers must monitor the performance of their smart products in the hand of health care providers and are willing to take predictive maintenance and the assessment of the vulnerability of the devices when they are installed in the system of health care providers.

However, the entire medical device ecology is very complex, complicated, uncertain, intensive, diverse, and evolving rapidly. Many manufacturers of medical devices are criticized for lagging behind banking and finance industries in terms of cybersecurity management and standard setting.

During 2016-2018, the author interviewed many manufacturers of medical devices about their attitude towards cybersecurity in several prominent international medical exhibitions in China, Israel, United Arab Emirates, Taiwan, Germany, United States, and Hong Kong. Many manufacturers are found not committed to cybersecurity risk management because they pursue lower cost and shorter product life cycles; do not have sufficient knowledge of operating environments of hospitals; have defensive attitude toward vulnerability disclosure; and reap quick benefits from the low-trust level among stakeholders and unequal power between manufacturers and distributors.

Many ethical issues about data ownership, data protection, data interpretation, data regulations, and data security need to be discussed widely within an organization and in the community. There is always incomplete expertise about big data. There is the time gap between the cause and effect when more and more complex technologies are adopted. Each organization actor needs to set its privacy and transparent codes while it also develops social capacities for reflection and resilience. It also needs to develop trusting relations using the vast amount of data for its stakeholders. The choice of data and algorithms are not a political neutral process, and can be location specific. The algorithm used to interpret the data collected may be controlled by the key powerful manufacturers. Through the presentation, the author hopes to inspire more stakeholders to ask questions about the algorithms that guide the automatic process of many medical devices and request manufacturers of medical devices to invest the stress endurance processes of their algorithms.