Medical Device Security AdviceA CISO Spells Out Essential Steps
Companies that manufacture medical devices can play a key role in ensuring data security issues are addressed.
I recently participated in a panel discussion at a conference of the Association for the Advancement of Medical Instrumentation. Here's the advice I offered to the manufacturers:
Permit the application of security patches to eliminate unnecessary risk.
Provide accurate information on network transport and ports. Please take the time to truly understand and accurately document the networking needs of your products. When there are wide discrepancies in what is documented and what is used, it raises questions about the overall quality of the product. It also adds unnecessary cost to the deployment and securing of the product.
Include virus protection. Everyone in the business is aware that the commercial anti-virus catch rate is in the 30-percent range. That does not diminish the need to run anti-virus software as part of a meaningful security program. Although an anti-virus program can cause a number of performance problems, these can be handled through tuning the deployments and writing code to be anti-virus friendly. Anti-virus solutions should be permitted on all medical devices that are connected to a network.
Allow O/S patches. For those engineering teams, product managers and executives responsible for products that do not allow patching of the OS, I have a question for you: Would you accept this constraint on your personal device? Would you be willing to handle your personal financial matters over the Internet on an XP system with no patches? You are asking your customers to do worse than that - you're asking them to deliver medical care using an unpatched operating system. Permit the application of security patches to eliminate unnecessary risk.
Support Microsoft Active Directory. Build in Active Directory support for user authentication and authorization. Allow the use of global groups for granular authorization within the system. This enables more centralized management of rights and drives operational costs down.
If it isn't needed, remove it. Using off-the-shelf operating systems is a big cost savings. In a world where we are trying to drive costs down, it makes good economic sense. Take the time to remove the services and components that are not needed to run your systems. The fewer non-required services and software, the lower the risk of compromise and the easier it is to dig out the root of a problem should one occur.
Add logging capability. Add a comprehensive logging capability into the product. Make it tunable so the customers can control the volume and detail they want to record. Make sure it has the ability to record the user of the device, the patient record number, the users' login and log-out events and the IP address of the access - at a minimum. Provide a syslog service for forwarding the data to a destination of the customer's choosing.
Don't dictate my security model. Don't ship solutions that are so inflexible that they break the customer's security model. The most common of these is the inclusion of a stand-alone firewall with a pre-configured LAN-to-LAN connection back to your network. This does not ensure security of the customer's network or the device. Make sure that your solutions have a range of risk mitigation options available that the customer can apply in a meaningful way within their environment.
Stop building in "phone home" services. I know these are great support tools, but look at it from the customers' security position. These tools are specifically designed to bypass firewall controls - the controls that make up a part of our overall security program. Allow alternatives such as LAN-to-LAN tunnels or using the customers' remote access methods, such as SSL VPN connectivity.
Mark Olson is chief information security officer at Beth Israel Deaconess Medical Center in Boston. He provides advisory services to security services companies in addition to being a speaker on security operations.