The Security Scrutinizer with Howard Anderson

Help With Medical Device Security

New Resources Aid in Ensuring Safety

I'm pleased that the issue of medical device security is finally getting more attention. After all, threats to networked devices can do far more than expose personal information; they have the potential to be life-threatening if devices malfunction.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

As my colleague Marianne Kolbasuk McGee reported, an all-day workshop at the recent HIMSS Conference outlined many of the key issues involved in improving device security (see: Medical Device Security: The Hurdles).

We think this is one of the biggest black holes in healthcare. 

And healthcare organizations have a growing list of resources they can turn to as they build their security strategies.

The Food and Drug Administration last year issued draft cybersecurity guidance for medical device manufacturers. The FDA also issued a "safety communication" to manufacturers and healthcare organizations listing steps they should consider taking to mitigate cybersecurity risks to medical devices.

Help with risk management practices is also being offered by others, including the Medical Device Innovation, Safety and Security Consortium. The group is getting ready to unveil the Medical Device Risk Assessment Platform, which provides guidance for risk-based assessments of common security capabilities and control gaps in medical devices.

And at an educational session at the RSA Conference 2014, I learned of yet another effort to help healthcare organizations take the right steps to improve medical device security.

Assessment Framework

Accuvant, a Denver-based consulting and research firm, is beta testing what it's portraying as a "medical device security assessment framework" that it will make available for free later this year.

The framework will cover 10 domains, ranging from network security to compliance issues. It will walk users through a series of questions, providing implementation guidance and pointing to references from a wide variety of sources, including the National Institute of Standards and Technology and many others.

The consulting firm launched the project to help bolster medical device security because "we assess a lot of healthcare networks, and we see how much of a gap there is," Tim West, senior risk consultant with Accuvant, told me after his RSA presentation. "We think this is one of the biggest black holes in healthcare."

If you'd like to check out Accuvant's "work in progress" version of its medical device security guide, send a note to West at, and he'll share it. He's looking for feedback to use in refining the framework before it's published in late summer.

For far too long, the issue of medical device security was not much of a priority for many healthcare organizations. So it's great to see the issue getting more attention, and it's encouraging that organizations now have more resources they can use to help build an effective strategy for ensuring patient safety as well as privacy.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.