Medical Devices: Assessing Security
New Guidance for Devices Running Windows XP or Windows 7Two not-for-profit cybersecurity associations have jointly released new guidance to help manufacturers and users of medical devices running the Windows XP or Windows 7 operating systems to quickly assess the devices' security configurations.
See Also: Improving Security Compliance in The Financial Industry With Data Privacy Regulations
The new guidance from the Center for Internet Security and the Medical Device Innovation, Safety and Security Consortium offers timely security insights about a wide variety of medical devices running these aging, but still widely used, operating systems, says Rick Comeau, strategic adviser and vice president of security controls and automation at CIS.
Although Microsoft ended support for Windows XP earlier this year, and is slated to end support for Windows 7 early next year, there are still many medical devices in use - ranging from diagnostic equipment, such as radiology systems, to therapeutic gear used in patient care - that are based on derivatives of those and other off-the-shelf operating systems, Comeau explains to Information Security Media Group.
Because the healthcare system replacement/refresh cycle for medical devices is so long, any devices running Windows XP and Windows 7 "will be out there for a very, very long time," he says.
As a result, the two organizations leveraged security best practices and benchmarks for XP and Windows 7, mapping those to a global standard called International Electrotechnical Commission (IEC) 80001-1, for performing risk assessments of IT networks that include medical devices, Comeau says.
The guidance addresses very specific security control areas, such as automatic logging off, screen savers, audit controls and configurations of security features, he says. The two organizations mapped about 19 individual security capability areas in the IEC 80001-1 standard back to XP and Windows 7 security best practices, creating a matrix to help assess and manage medical device security, he says.
Rick Comeau of CIS describes how new guidance was developed.
The new guidance can be used as supplementary resources to the Manufacturer Disclosure Statement for Medical Device Security, or MDS2, form that provides manufacturers with a vehicle for disclosing the security-related features of the medical devices they sell, he says.
"This is another tool in the toolbox" for security risk management of medical devices, he says.
Other Efforts
The CIS/MDISS Security Benchmark Mapping Guidance documents, which are now available, are the first set of resources developed through the partnership of the two not-for-profits. Additional guidance for other medical devices is planned.
In another recent development, the Food and Drug Administration recently issued guidance advising medical device manufacturers to consider cybersecurity risks as part of the design and development of medical devices (see FDA Issues Medical Device Security Guide).
"The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information," the FDA guidance notes.
Next week, the FDA is hosting a medical device cybersecurity workshop for healthcare sector stakeholders. The Oct. 21-22 FDA workshop is being held in collaboration with the Department of Homeland Security's ICS CERT and the National Health Information Sharing and Analysis Center, says Suzanne Schwartz, director of emergency preparedness operations and medical countermeasures at the FDA's Center for Devices and Radiological Health.