Is your medical device secure? I learned a lot about the latest trends in cybersecurity and how to protect medical devices and hospitals at a conference this week hosted in San Francisco and featuring presentations by cybersecurity experts from the medical device industry, from hospital systems, and from vendors of security tools. Medical device cybersecurity is a rapidly evolving field but there are a few key principles that remain constant and which anyone developing connected medical devices should know.
First is the concept of “security by design,” addressing security at every stage of product development (“baked in” instead of “bolted on” after development). For medical device companies this means fully integrating cybersecurity into all aspects of product development, from early architecture to detailed design choices to V&V testing.
The second principle is “security in use” which refers to all the activities to ensure a product remains secure after launch. This involves systematic monitoring of products in the field and establishing company procedures to react rapidly to security incidents.
So how can a product development team anticipate cybersecurity threats that will arise in the future? They can’t—no matter how carefully you’ve designed security measures into a new medical device at the time of product launch, at some point in the future the product is likely to develop a security vulnerability Therefore, managing cybersecurity throughout the life cycle of a medical device means having a well defined software patch management process for updating products in the field. Patch management needs to cover both patches of your own product software as well as patches of the OS or other 3 rd party software included in your product. The product should be designed for securely accepting software patches in an environment of evolving threats. For example, designing in two separate methods in the product for software updates so that if one method becomes a vulnerability in the future, you can still use the other method to maintain the product.
Another key lesson I learned from this conference was the importance of protecting against threats from all directions in a modern healthcare system, which requires a multi-disciplinary approach to security. David Snyder of 42tek.com lead an expert panel on this subject titled “Cybersecurity for Medical Devices is a Team Sport”. Security managers from multiple healthcare organizations described the day-to-day challenges of maintaining hospital operations and responding to attacks. Crucial in all this is close coordination between the manufacturer and the healthcare organization to ensure system-wide security and to rapidly address security breaches and restore devices to a safe state.
Want to learn more about medical device cybersecurity?
Here are some useful links for medical device cybersecurity:
Product Security Framework and security templates generously provided on the BD company website:
NIST Cybersecurity Home Page with “Cybersecurity Framework”
NIST Guide to Industrial Control Systems Security (247 pp):
Medical Device Vulnerability Intelligence Program for Evaluation and Response (MDISS)