Securing Medical Devices, Where to Start?

During a recent discussion held at the Bipartisan Policy Center titled, Cybersecurity and Medical Devices: Risk Assessment and Response, an esteemed panel of experts lead a discussion about increasing medical device standards and educating the public on the industry’s risk vs. benefits in regards to technological innovations. Michael Chertoff, Executive Chairman and Co-Founder of The Chertoff Group and Former Secretary of the U.S. Department of Homeland Security (DHS), noted that the timing of innovations within the medical device industry allows for increased opportunities for risk and vulnerability management more efficiently and effectively during the medical device development and design stages rather than tailoring vulnerability solutions to existing devices.

Chertoff describes the risk mitigation process he finds to be most successful after witnessing its implementation across multiple industries. In this process, there are five steps:

  1. Educate the board and senior management on potential threats and risks
    -Threat = what the adversary is actually doing
    -Risk = the threat multiplied by the consequence
  2. Take ownership of threat & risk mitigation by understanding that the Cyber Threat is to be handled like any other threat being discussed within your organization
  3. Implement a threat mitigation strategy within your company after careful analysis and expert guidance
  4. Allocate human capital investments and financial resources in order to successfully uphold the strategy
  5. Hold all individuals within the company accountable for behaviors exhibiting potential threats and risks

Medical devices are not a “one size fits all” type of solution, and neither is the issue of securing the devices themselves. With so many options available: non-surgical, implanted, portable, etc; these devices not only aid the user but also store and transmit sensitive user data. Protecting this data should be prioritized, but with the numerous options available throughout the market; it is difficult to know where to start.

The innovation within the technology that is embedded into these evolving medical devices allows for less intrusive treatment as time goes on. Not only are the devices becoming smaller, but they also allow for increased connectivity- whether it is between patient’s phones and networks, or providing physicians with real-time access to patient information; thus leading to more proactive methods of treatment, intervention, medications, and observations.

What is important to note is that although direct access to medical records and patient data provides patient transparency on, their are significant risks associated with transmitting sensitive data. Medical device manufacturers must think about not only protecting present cyber vulnerabilities, but the need to also anticipate future risks by implementing company wide strategies in preparation for any necessary risk mitigation. We have reached a point where cybersecurity could impact the wellbeing of a person with a medical device implanted.

Like all devices that process sensitive data, medical devices/solutions could benefit from obtaining security certifications like: FIPS 140-2, Common Criteria, and the DoDIN APL.

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe