Medical Device Cybersecurity: Progress and GapsFormer Medtronic Security Officer Assesses Collaborative Efforts
Collaboration between medical device manufacturers and ethical hackers who discover cybersecurity vulnerabilities is getting better, but there's still plenty of room for improvement, says Bill Aerts, the former global privacy and security officer at device maker Medtronic.
Relationships between the independent security researcher community and medical device manufacturers "are so much better than it used to be," Aerts says in an interview with Information Security Media Group.
"Researchers - those who really know what they're doing and have prominence across the world - have learned there's a good way ... to approach a manufacturer" about newly identified security flaws in medical devices, he notes. "And manufacturers - some more than others - are learning that these folks aren't the enemy, that they really do know a lot about medical devices and the security of them, and that they should be very receptive to the research ... and take in what [these researchers] know ... and determine if there's really an issue or not."
Sometimes, however, researchers bring issues to the attention of manufacturers that are "misunderstood or are not really threats," he contends.
"The general advice across the industry is for researchers to know the right way to approach a company directly ... and secondly, manufacturers to be more receptive ... because there could be helpful information there" in what the ethical hackers potentially discovered, Aerts adds.
Healthcare Provider Progress
Some healthcare providers - especially larger organizations - also are making strides in programs focused on medical device cybersecurity, he says. That includes improving product testing, using tools to monitor what devices are on their networks and ensuring their products are configured correctly.
But he acknowledges that healthcare providers "have such a difficult challenge because they have so many devices on the network from so many manufacturers that it's hard for them to stay on top of it."
In the interview (see audio link below photo), Aerts also discusses:
- Medical device cybersecurity advice for healthcare provider organizations;
- The most worrisome, evolving cyberthreats facing medical devices;
- An upcoming cybersecurity workshop May 8-9 that's being hosted for healthcare industry stakeholders by the University of Michigan Archimedes Research Center for Medical Device Security.
Aerts, who has more than 30 years of experience in security, recently retired as director of product security within medical device maker Medtronic's global privacy and security office. In that role, he was accountable for Medtronic's global product security program, which brings together product research and development functions, security subject matter experts and business unit and corporate leadership throughout the company. Currently, Aerts is an adjunct professor at the Carlson School of Business at the University of Minnesota.