Security Benchmarks for Medical Devices

New Initiative Will Outline Appropriate Controls
Security Benchmarks for Medical Devices

A new initiative is working toward developing security control benchmarks, or best practices, for Internet-enabled medical devices. The first voluntary guidelines, designed for infusion pumps, are targeted for release by year's end, says Will Pelgrin, president and CEO of the Center for Internet Security, which is spearheading the effort.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

CIS is a non-profit organization focused on enhancing the cybersecurity readiness and response of public and private-sector entities. Through its security benchmarks division, it has already produced voluntary guidance in other areas, such as passwords.

The Center recently issued a request for information to U.S. medical device manufacturers seeking volunteers to participate in the development of security control benchmarks. But it's also inviting healthcare providers and others to participate.

A Hot Topic

The benchmarking effort is designed to get ahead of the risk before something "catastrophic" happens, Pelgrin says. "These devices have now become so IT-centric and mobile, the need to protect them and the technologies they rely on is critical," he says.

The issue of medical device security has gained attention in recent months. For example, some security experts have exposed vulnerabilities in wireless insulin pumps (see: Addressing Medical Device Security Flaws). Others have identified risks involved when devices are unknowingly exposed to the Internet (see: Identifying Vulnerable Medical Devices). Other concerns include password vulnerabilities and malware-related issues.

Building on FDA Effort

The benchmarks will build upon recommendations in the Food and Drug Administration's draft "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" (see: FDA Drafts Medical Device Security Guide).

"We are working very collaboratively with the FDA, and our benchmarks will map to their guidance," Pelgrin says. "The FDA guidance is more strategic; our benchmarks will be very tactical."

By tactical, Pelgrin means the benchmarks will provide detailed steps that should be taken to improve the security of specific technologies. The benchmarks, however, will not be requirements or regulations. "They're best practice recommendations that can be adopted voluntarily," he stresses.

CIS will be joined by the National Health Information Sharing and Analysis Center in coordinating this initiative. The Multi-State ISAC, which CIS operates, will also be involved. "We will leverage the expertise there as part of this process," Pelgrin says.

The first healthcare provider to join the initiative is Albany Medical Center in New York. Provider involvement will help ensure the best practices are practical, Pelgrin says. "We want to produce a product that can help improve security, while also meeting the operational needs of the users of these devices," he says.

Those interested in participating in the benchmarking program can visit for more information.

Benchmarking Process

The security benchmarks that the CIS develops provide guidance on security-focused configuration controls to be applied to a wide range of technologies, Pelgrin says. The benchmarks provide specific procedures on how to implement the controls and audit procedures to verify that the controls were correctly implemented.

The CIS has worked with IT security subject matter experts within government, businesses and academia from around the world to develop benchmarks, Pelgrin says. "Anyone who wants to contribute to the creation of any benchmark is welcome," he notes.

When a need for security configuration guidance is identified for a specific system or technology, the team involved in the project will identify the security impacts that should be addressed, Pelgrin says. "Through an ongoing and iterative process, the benchmark is drafted, reviewed and commented upon and ultimately finalized," he says.

The new medical device benchmarks, which will provide prescriptive, implementable instructions for hardening systems, will be released to the public on the CIS website as PDF documents, Pelgrin says.

Insulin Infusion Pump Benchmarks

"Our goal is to have the first insulin infusion pumps [benchmark] available by the end of this calendar year," Pelgrin says.

Subsequent medical device benchmarks will be developed based on the input of CIS's consensus committee, he explains.

"This will be an ongoing process - not only for the development of new benchmarks, but also maintaining them to ensure they remain current and responsive to the changing environment."

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.