1. Establish a secure software development life cycle
Security works best when it’s treated as an intrinsic property of a software system rather than bolting it on at the end. Medical device manufacturers and system developers should establish a well-defined secure software development life cycle (SSDLC) that includes proactive processes to identify security requirements, design defects, and code-level bugs. a key activity in the SSDLC, identifies system assets and methods (called threat vectors or attack vectors) that attackers could compromise. It also helps an organization understand an application’s threat landscape, identify security requirements and design defects, and get actionable guidance for security testing. In most cases, companies with a successful SSDLC also measure and continually improve maturity of such programs.
2. Understand cloud security
Many organizations—including medical device companies—are moving their IT infrastructures to the cloud. Companies like McKesson are creating cloud and infrastructure services that are changing the way medical systems are deployed. Therefore, it’s critical to understand the security ramifications of cloud services, such as:
- What’s my security responsibility versus that of the cloud provider?
- How is my data protected in the cloud?
- What are the implications of HIPAA compliance standards with a move to the cloud?
- Can we trust the cloud provider with the keys to our encrypted data?
Although some evidence suggests that cloud providers do a better job of protecting against data breaches and loss, healthcare companies must understand that infrastructure can be transferred to the cloud more easily than the risk itself. In the case of a data breach, it’s usually the healthcare companies that are liable—not the cloud providers.
3. Create logging and monitoring controls
No amount of security investment can guarantee that medical systems will never be breached. Proper logging and monitoring controls can help detect any malicious attacks and their impact on the system as soon as they occur.
4. Use a secure operating system to build medical devices
The life cycle of medical devices is often much longer than that of handheld devices like smart phones—some can be used for many years if not decades. In addition, some devices operate in an environment where patching for security bugs is cost-prohibitive or simply not possible. Using a secure platform to build medical devices is critical. The National Vulnerability Database shows many more security vulnerabilities in an operating system such as Windows 10 than in a secure operating systems such as the QNX. Using a secure operating system reduces the need for security-related patching.
5. Remember that deployment security is equally important
Although establishing a SSDLC is necessary, it’s not enough. Maintaining security is a shared responsibility between patients, providers, and medical device/system manufacturers. Medical device and system creators must understand how their systems are deployed and used. They must also provide necessary security guidance to their customers.