Help With Medical Device SecurityNew Resources Aid in Ensuring Safety
I'm pleased that the issue of medical device security is finally getting more attention. After all, threats to networked devices can do far more than expose personal information; they have the potential to be life-threatening if devices malfunction.
As my colleague Marianne Kolbasuk McGee reported, an all-day workshop at the recent HIMSS Conference outlined many of the key issues involved in improving device security (see: Medical Device Security: The Hurdles).
We think this is one of the biggest black holes in healthcare.
And healthcare organizations have a growing list of resources they can turn to as they build their security strategies.
The Food and Drug Administration last year issued draft cybersecurity guidance for medical device manufacturers. The FDA also issued a "safety communication" to manufacturers and healthcare organizations listing steps they should consider taking to mitigate cybersecurity risks to medical devices.
Help with risk management practices is also being offered by others, including the Medical Device Innovation, Safety and Security Consortium. The group is getting ready to unveil the Medical Device Risk Assessment Platform, which provides guidance for risk-based assessments of common security capabilities and control gaps in medical devices.
And at an educational session at the RSA Conference 2014, I learned of yet another effort to help healthcare organizations take the right steps to improve medical device security.
Accuvant, a Denver-based consulting and research firm, is beta testing what it's portraying as a "medical device security assessment framework" that it will make available for free later this year.
The framework will cover 10 domains, ranging from network security to compliance issues. It will walk users through a series of questions, providing implementation guidance and pointing to references from a wide variety of sources, including the National Institute of Standards and Technology and many others.
The consulting firm launched the project to help bolster medical device security because "we assess a lot of healthcare networks, and we see how much of a gap there is," Tim West, senior risk consultant with Accuvant, told me after his RSA presentation. "We think this is one of the biggest black holes in healthcare."
If you'd like to check out Accuvant's "work in progress" version of its medical device security guide, send a note to West at firstname.lastname@example.org, and he'll share it. He's looking for feedback to use in refining the framework before it's published in late summer.
For far too long, the issue of medical device security was not much of a priority for many healthcare organizations. So it's great to see the issue getting more attention, and it's encouraging that organizations now have more resources they can use to help build an effective strategy for ensuring patient safety as well as privacy.