Healthcare companies must follow medical device security best practices to defend against attacks on devices and the networks and systems they connect to.
It’s vital that healthcare companies follow medical device security best practices to defend against attacks on devices and the networks and systems they connect to—especially during a pandemic.
The COVID-19 pandemic has increased the number of medical devices used at home, so ensuring the security of those devices is essential. In addition, all baby boomers will reach retirement age by 2030. This rapid growth of an aging population underscores the importance of secure and reliable healthcare products and services, including medical devices. To meet this need, many medical devices connect to server-side systems, which has created a surge in demand for expertise in both medical device security and system security.
Security weaknesses, vulnerabilities, and data breaches can put patient safety at risk and expose healthcare companies to data disclosure and HIPAA regulatory risks. How can vital medical devices be kept safe, especially during a pandemic when professional healthcare staff cannot monitor them in person? What measures should medical device companies take to ensure patient safety? Here are five steps that healthcare companies should take to secure their medical devices.
Security works best when it’s treated as an intrinsic property of a software system rather than bolting it on at the end. Medical device manufacturers and system developers should establish a well-defined secure software development life cycle (SSDLC) that includes proactive processes to identify security requirements, design defects, and code-level bugs. a key activity in the SSDLC, identifies system assets and methods (called threat vectors or attack vectors) that attackers could compromise. It also helps an organization understand an application’s threat landscape, identify security requirements and design defects, and get actionable guidance for security testing. In most cases, companies with a successful SSDLC also measure and continually improve maturity of such programs.
Many organizations—including medical device companies—are moving their IT infrastructures to the cloud. Companies like McKesson are creating cloud and infrastructure services that are changing the way medical systems are deployed. Therefore, it’s critical to understand the security ramifications of cloud services, such as:
Although some evidence suggests that cloud providers do a better job of protecting against data breaches and loss, healthcare companies must understand that infrastructure can be transferred to the cloud more easily than the risk itself. In the case of a data breach, it’s usually the healthcare companies that are liable—not the cloud providers.
No amount of security investment can guarantee that medical systems will never be breached. Proper logging and monitoring controls can help detect any malicious attacks and their impact on the system as soon as they occur.
The life cycle of medical devices is often much longer than that of handheld devices like smart phones—some can be used for many years if not decades. In addition, some devices operate in an environment where patching for security bugs is cost-prohibitive or simply not possible. Using a secure platform to build medical devices is critical. The National Vulnerability Database shows many more security vulnerabilities in an operating system such as Windows 10 than in a secure operating systems such as the QNX. Using a secure operating system reduces the need for security-related patching.
Although establishing a SSDLC is necessary, it’s not enough. Maintaining security is a shared responsibility between patients, providers, and medical device/system manufacturers. Medical device and system creators must understand how their systems are deployed and used. They must also provide necessary security guidance to their customers.
The COVID-19 pandemic has highlighted the need to examine medical device security in a larger context, including the connections to larger, server-based systems and databases in a cloud environment. Following best practices for medical device security will help your organization protect your medical devices and systems against hackers.
Chandu Ketkar is a principal security consultant at Synopsys. His vast security expertise includes architecture security, secure design assessment automation, medical device and systems security, cryptography, mobile application security, maturity models, and software security initiatives (SSI). Chandu also has over 25 years of experience building software and says if he knew back then what he knows now, he would have built it a lot safer. He is a member of the AAMI and is actively engaged in creating an automation tool to scale architecture/design risk assessments. When he’s not building code for medical devices, Chandu relaxes by singing and listening to music.