Medical Device Cybersecurity: 3 Vital StepsSecurity Lab Leader Kevin Fu Describes Essential Action Items
Healthcare organizations should take three important steps to help improve the cybersecurity of medical devices used in their environments, says security expert Kevin Fu.
"Healthcare providers, hospitals and clinics are really in a tough spot because it's difficult for them to purchase anything that has even a hope of being securely configured," Fu, director of the security and privacy lab at University of Michigan, says in an interview with Information Security Media Group.
The Food and Drug Administration has been taking steps to raise awareness of the cybersecurity risks posed by medical devices. That includes issuing a warning in August urging healthcare organizations to discontinue the use of a family of medical devices due to safety concerns related to cybersecurity issues (see FDA: Discontinue Use of Flawed Infusion Pumps).
The first essential step healthcare organizations need to take to improve the cybersecurity of medical devices used in their environments, Fu says, is to evaluate the security of these products during the procurement process.
"It's the power of the purse. Some of the larger hospitals systems are demanding very specific cybersecurity requirements before they will purchase a large quantity of medical devices," he says. "I know of cases where a healthcare provider will move on and pick a different manufacturer when another manufacturer wasn't taking cybersecurity seriously at procurement."
The second step to take is isolation of medical devices on networks, "so that if something does get infected [with malware], it doesn't spread quickly," Fu says. But this approach "is very tricky, it's very difficult to manage," he acknowledges.
The third step, he says is to improve surveillance and detection of incoming threats, including malware.
In the interview, Fu also discusses:
- The security challenges posed by older medical devices running outdated operating systems, such as Windows XP;
- How improved collaboration between medical device makers and independent security researchers can improve the cybersecurity of devices;
- Predictions for medical device cybersecurity developments in 2016.
Before joining the University of Michigan last year as associate professor of electrical engineering and computer science, Fu served as an associate professor of computer science and adjunct associate professor of electrical and computer engineering at the University of Massachusetts Amherst. Fu also has served as a visiting scientist at the Food and Drug Administration, the Beth Israel Deaconess Medical Center, Microsoft Research and MIT CSAIL. He is a member of the NIST Information Security and Privacy Advisory Board. Fu was also recipient of a Sloan Research Fellowship, National Science Foundation Career Award and was named MIT Technology Review TR35 Innovator of the Year. He earned his Ph.D. in electrical engineering and computer science at MIT for research on secure storage and Web authentication.