Medical Devices: The Security Costs

Consortium Working on Comparative Tool

By , May 21, 2013.
Medical Devices: The Security Costs

The Medical Device Innovation, Safety and Security Consortium, is refining a tool that cost-adjusts medical devices based on their security attributes, says Dale Nordenberg, M.D., executive director.

See Also: Breaking Down Ease-of-Use Barriers to Log Data Analysis for Security

"This delivers a very important message to the market, which is healthcare organizations are willing to pay for security," Nordenberg says in an interview with HealthcareInfoSecurity (transcript below).

"Two years ago when we started, manufacturers were asking the question, "Will healthcare delivery organizations pay for security?" This cost-based tool, which was developed at John Muir Healthcare System, has been deployed and is now being modified by MDISS. The fact that this has been well-received both by healthcare systems and manufacturers supports our market-based approach."

Protecting medical devices against security threats that could have potentially catastrophic safety implications for patients is difficult, Nordenberg acknowledges. That's because devices vary widely, from health apps running on wireless mobile devices used by consumers to wireless implanted devices and bedside diagnostic and therapeutic devices used at hospitals.

"Medical device security is a complex issue, for which the risks to patients and to privacy are not clearly understood," says Nordenberg, founder of the consortium, a public/private partnership that's working on a conceptual framework for security that spans the lifecycle of all types of medical devices.

"It's important to realize that no one entity, no healthcare delivery organization, manufacturer or technology company can mitigate all the risk," he says.

Healthcare providers can take specific steps to reduce some of the risks, from ensuring that their systems have the latest software updates available from manufacturers to improving the training of those who operate the devices, he says.

In the interview, Nordenberg discusses:

  • The risks posed by medical devices;
  • Why he believes malware is more of a threat than hacking;
  • Regulatory developments in 2013 that could begin to address key issues in medical device security.

In addition to his role leading the consortium, Nordenberg, a pediatrician, is CEO of the consulting firm Novasano Health and Science. He formerly was a managing director in the healthcare practice at PricewaterhouseCoopers. And from 2002 through 2007, he held various positions at the Centers for Disease Control and Prevention, including associate director and CIO at the National Center for Infectious Diseases and senior adviser for strategic planning in the CDC's office of the CIO.

The Consortium

MARIANNE MCGEE: Tell us briefly about your organization and your role?

DALE NORDENBERG: Our organization started about two years ago. Our founding organizations include Kaiser Permanente and the VA Healthcare System. We were started because of concerns these organizations had around medical devices, specifically security vulnerabilities that they perceived that these devices had, and the potential adverse impact that an exploited vulnerability might have in terms of patient safety and patient quality of care.

Since that time, we've bee able to recruit over 35 different healthcare organizations, many of the leading healthcare organizations across the country. ... We also made sure that we were reaching down to achieve a broad spectrum of representation. We have county-based healthcare organizations. We've got smaller hospitals or smaller healthcare systems in addition to these large national enterprises.

My role is that of executive director. I see my role primarily being the convening of facilitation of contribution by our expert organizations, which now include the healthcare delivery organizations I've mentioned, but also include government agencies that are actively participating in the consortium, as well as technology companies, including manufacturers. What we've tried to do in the consortium is to create a robust ecosystem of stakeholders that are interested in medical device innovation, safety and security.

Medical Device Risks

MCGEE: Why are medical devices a security risk?

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE McCaul to Unveil Threat Info-Sharing Bill

A bill to be introduced by Rep. Mike McCaul would designate DHS's National Cybersecurity and...

Latest Tweets and Mentions

ARTICLE McCaul to Unveil Threat Info-Sharing Bill

A bill to be introduced by Rep. Mike McCaul would designate DHS's National Cybersecurity and...

The ISMG Network