Five Principles for Improving Medical Device CybersecuritySecurity Expert Beau Woods Outlines Key Steps to Take
Medical device manufacturers and healthcare entities should take five key cyber-related steps to help ensure patient safety, says Beau Woods of the grassroots cyber-safety advocacy group I Am the Cavalry.
The Hippocratic Oath for Medical Devices, a security framework that I Am the Cavalry developed and issued, can help manufacturers and healthcare providers avoid many of the cyber-related safety concerns tied to legacy medical devices, as well as products under development, he says.
"We ask that each person involved in the chain of care delivery - whether it's the medical device maker, the implementer, the biomedical group, the IT group, the physician - adhere to some key principles and capabilities," he says in an interview with Information Security Media Group.
The first of the those principles is to build products with cybersecurity in mind because vulnerabilities potentially can impact patient safety. The second is "to take help from willing allies." This means working with ethical hackers and researchers, as well as physicians or hospital IT staff, who identify cyber vulnerabilities that could enable adversaries or malicious hackers to gain access or cause a safety harm to patients, Woods says.
The third principle is to capture evidence related to potential cybersecurity or patient safety incidents, and then investigate and analyze the findings.
"If you have a medical device, make sure it can capture evidence that someone may have been tampering with it, or that it was a normal course of a disease that caused some patient safety issue, rather than what is often the case - which is [having] no ability to track modifications ... or that it's easy to erase traces of a manipulation" of a device.
The fourth principle is "to isolate and contain potential issues" both within the environment itself - connected medical devices in a network - as well as the individual devices. "Sometimes, computers in a network can become hostile to a medical device because they are infected with a virus," he notes. In addition, there should be protections in place for the security of the individual medical devices, "so that systems capabilities that need to be easily accessible cannot adversely affect patient care."
The final principle is to respond quickly when cybersecurity issues are detected in devices. That includes implementing software updates for operating systems, he notes.
In the interview (see audio link below photo), Woods also discusses:
- The kinds of security issues most commonly found in medical devices;
- Lessons that other companies can learn the Food and Drug Administration's warning letter to medical device maker Abbott concerning cardiac device battery problems and cyber-vulnerabilities that the FDA says haven't been sufficiently addressed by St. Jude Medical, which Abbott acquired in January;
- Medical device and healthcare cybersecurity issues that will be discussed during the upcoming cybersecurity workshop May 8-9 at the University of Michigan Archimedes Research Center for Medical Device Security.
In addition to his leadership role at "I Am the Cavalry," Woods is deputy director of the Atlantic Council's Cyber Statecraft Initiative, which focuses on international cooperation, competition and conflict in cyberspace.