Medical Device Incident Response: Patient Safety ConcernsSecurity Experts Chris Frenz and Brian Russell Discuss New CSA Playbook
The Cloud Security Alliance's new medical device incident response playbook aims to help healthcare entities better plan response tactics for security incidents involving different types of devices, taking into consideration varying patient safety issues, say the document's co-authors, Christopher Frenz of Mount Sinai South Nassau and Brian Russell of TrustThink.
The Medical Device Incident Response Playbook provides several use-case examples and incident scenarios involving an imaging device, an implanted device and a networked infusion pump.
"Often when we talk [about security risk], we'll talk about the asset value, the data on the asset and how vulnerable that asset is. But we don't think about the patient safety implications if an asset were to go down," Frenz says in an interview with Information Security Media Group.
With the playbook, "we wanted to bring more clinical context around the incident response process," he says. "Not all medical devices are the same, and not all should be handled the same in response to an incident."
The setting in which a medical device is used and the type of security incident or compromise that occurs are also critical patient safety concerns in response plans, says Russell in the same interview.
"A compromise of a CT imaging scanner or an associated picture archiving and communication system … is that compromised device located in an outpatient setting, where the impact is relatively minimal," he says. "Or maybe it’s located in an emergency room or triage area where the loss of availability causes the hospital to redirect patients to another facility - that's something you have to take into consideration."
"So if a device becomes unavailable to treat a patient, what are the impacts going to be? Even something that causes just a delay in patient care does have a potential for adverse outcomes."
In the interview (see audio link below photo), Frenz and Brian also discuss:
- Other important medical device incident response considerations;
- Security vulnerabilities and related concerns involving legacy medical devices;
- Avoiding common medical device security mistakes.
Frenz is information security officer at Mount Sinai South Nassau, a medical care provider. Previously, he was assistant vice president of information security for Interfaith Medical Center in Brooklyn, New York, where he developed the hospital's information security program and infrastructure. Frenz is the author of the OWASP Secure Medical Device Deployment Standard and the OWASP Anti-Ransomware Guide.
Russell is the founder of security firm TrustThink and co-chair of the Cloud Security Alliance's internet of things working group. He previously led the medical device security architecture team at a large healthcare delivery organization. At TrustThink, Russell performs security engineering for new technologies including autonomous vehicles, connected medical device, and the IoT. He is also co-author of the book "Practical IoT Security" and an adjunct professor at the University of San Diego.