The subject of medical device hacking has been receiving an unprecedented amount of attention, following FDA’s release of guidance on the subject, titled “Cybersecurity for Medical Devices and Hospital Networks.” In the past week, CNN featured a segment titled “How hackers can kill you.” One recent headline reads: “Barnaby Jack Could Hack Your Pacemaker and Make Your Heart Explode.” The Economist, too, weighed in on the subject with a piece titled “How vulnerable are medical devices to hackers?”
So what can the medical device industry do to address potential security problems? What follows is a thumbnail sketch, broken into steps:
1.”Really the key is integrating security into product design and development lifecycle,” says Matthew Neely, director of strategic initiatives at SecureState (Bedford Heights, OH). “If you try to add security on at the end of developing a product, often it is going to be hugely expensive and not as efficient.” From the start of developing a new medical device, it is important to include security requirements in the functional requirements of the product.
2.Next, Neely recommends doing a threat assessment to figure out what the likely threats will be for the medical device: whether that be computer viruses, benign actors to actual bad guys who are targeting it. This information then can be used to find out what the appropriate level of protection is for the device.
3.”From there, as the device starts to be designed, make sure the security requirements are being met during the design process and make sure that the design has been reviewed before the product goes off to be manufactured,” Neely says. “Even before prototyping, often just a paper review can be helpful.” He suggests following FDA’s guidance on the subject.
4.Before the device is starting to go production, have security testing performed on it—throughout the prototyping and development process. “We’ve seen companies train internal staff to do some of that testing. Often, you can train up QA departments to do some of that testing or bring in a third party that has that expertise,” Neely says. “When the product is finalized, we recommend having a third party come in just to get a fresh set of eyes to make sure that the security requirements are being met and there are no vulnerabilities in the product.”
5.Once the device is released, provide information to whoever purchases it on how to securely install the product. “A lot of times, hospitals get these devices and they don’t really have guidance on whether they need a firewall, what kinds of accounts are needed, and that type of stuff,” Neely says. “So give guidance on how to set the device up on their network.”
6.Even if you go through all of the work of making sure security is built into the development process, there will still be things that are missed, Neely says. “So it is important to make sure there is a good patch process afterwards to fix them once the product has been released.” Once that patch has been developed, Neely recommends having it tested before getting it out to hospitals and end users. It is also important to provide clear instructions on how to securely install the patch to fix any vulnerabilities.
Note: MPMN recently published a related article on this topic titled: “Tips to Keep Your Medical Device from Getting Hacked.”
-Brian Buntz is the editor-in-chief of MPMN and Qmed. Follow him on Twitter at @brian_buntz. Posted on June 25, 2013 – 12:35PM