Scrutinizing Security When Procuring Medical DevicesExpert Urges Investigating Safety Issues Before Devices Are Implemented
To improve patient safety, healthcare organizations should more closely scrutinize the cybersecurity of networked medical devices during the procurement process, says security expert Beau Woods.
"Inform the decision makers - be they physicians, hospital administrators, procurement officers, or whomever - of some of the cybersecurity risks; talk about why these things are important, why you want to be sure the software has been vetted," Woods says in an interview with Information Security Media Group. "Building these kinds of things into the procurement process as early as possible allows healthcare organizations to improve their assurance and trust in the devices that they are buying."
Woods, a security consultant, is a leader of "I Am the Cavalry," a not-for-profit cyber safety advocacy organization. A group of security researchers formed the organization in 2013 to focus on issues "where computer security intersects public safety and human life." In addition to medical devices, the group is calling attention to security issues involved in automobiles, public infrastructure and the Internet of Things.
Medical Device Risks
Over the last few years, some independent security researchers have discovered cybersecurity flaws in various networked medical devices that could, for example, allow unauthorized users to potentially gain control of the devices.
Despite the vulnerabilities in medical devices uncovered by independent researchers - including flaws spotlighted in a recent Food and Drug Administration alert about certain infusion pumps from manufacturer Hospira - FDA officials have said that the agency has not received reports of patients actually being harmed by cyber-attacks on devices (see FDA Official: More Medical Device Vulnerability Discoveries Are Likely).
But Woods contends the healthcare sector clearly needs to ramp up its efforts to address cybersecurity problems in medical devices to avoid patient safety issues.
In the interview (see audio link below photo), Woods also discusses:
- Collaborative efforts underway between medical device makers and the independent security researchers who find cybersecurity vulnerabilities in the devices;
- Plans by the FDA to issue new guidance regarding the cybersecurity of medical devices already in use by healthcare organizations;
- Predictions for medical devices cybersecurity developments in 2016.
In addition to his volunteer role with "I Am The Cavalry," Woods is founder of the security consulting firm Stratigos Security. He has advised dozens of organizations on security practice, strategy and technology, including Global 100, small businesses, government agencies and others.