Medical Device Security: What Really Works?New Collaborative Effort Hopes to Validate, Then Share, Best Practices
A new collaborative effort aims to advance "evidence-based security" for medical devices through the sharing of best practices, says Dale Nordenberg, M.D., leader of the Medical Device Innovation, Safety and Security consortium.
"We believe that 2017 is the year that we truly hit a tipping point where the majority of ... healthcare delivery systems and leading [device] manufacturers ... have come to be aware of medical device cybersecurity risk potential. That is a very important first step," Nordenberg says in an interview with Information Security Media Group.
"But the next step is for stakeholders to collaborate to build an evidence base," he says. That involves gathering the data "to truly understand what is happening at the point of care regarding medical devices" to size up the risks involved and then develop best practices for how to address them, he adds.
MDISS and the Association of Executives in Health Information Security, whose members include more than 700 CISOs and other healthcare security leaders, recently announced that they will work collaboratively to help their members identify, mitigate and prevent cybersecurity threats to medical devices.
MDISS, since its launch in 2010, has focused on advancing public health and patient safety. "We drive toward evidence-based decision making. And we do this based on best practices from organizations like the Centers for Disease Control and Prevention," Nordenberg says. Now, MDISS will work with CISOs through its new partnership with AEHIS, a unit of the College of the Healthcare Information Management Executives, to help identify and spread best cybersecurity practices for medical devices, he says.
"We think the tipping point has happened with awareness [of medical device cybersecurity risks], and now we're driving to try to achieve a tipping point in responsible, productive information sharing so that we have an evidence-based approach to risk mitigation," Nordenberg says.
Sean Murphy, CISO of health insurer Premera, and an advisory board member of AEHIS, says in a statement to ISMG that the alliance between MDISS and AEHIS will potentially help healthcare CISOs address critical medical devices cybersecurity challenges.
"Broadly speaking, the security of medical devices continues to be an issue that healthcare CISOs have to contend with. As these special purpose computing platforms are unique to healthcare and often life-critical, we almost have to develop our own solutions to mitigate risk without having ready-to-go frameworks or manufacturer-provided security controls engineered-in," he says. "By engaging with groups like MDISS, healthcare CISOs can align more effectively through information sharing and vulnerability reporting as a best practice to reduce risk and improve security."
In the interview, (see audio link below photo), Nordenberg, who will be a speaker at ISMG's Healthcare Security Summit in New York Nov. 14-15, also discusses also discusses:
- The critical role CISOs and other security leaders from a diverse array of healthcare provider organizations and manufacturers can play in advancing medical device cybersecurity best practices and information sharing;
- Details about the collaborative activities planned by MDISS and AEHIS;
- Cybersecurity challenges related to legacy medical devices in use versus new products under development.
In addition to his role as co-founder and executive director of MDISS, Nordenberg is a pediatrician and CEO of the consulting firm Novasano Health and Science. He's the former CIO of the Centers for Disease Control and Prevention and co-chairs the Medical Device Security Information Sharing Council for the National Health Information Sharing and Analysis Center.