Diabetes Technology Society Unveils Cybersecurity Standard For Diabetes, IoT Devices

The nonprofit Diabetes Technology Society (DTS) unveiled recently a cybersecurity standard called DTSec, designed for interconnected diabetes devices, such — as continuous glucose monitors (CGM), wireless insulin pumps, and closed loop systems — as cybersecurity threats loom large in the medtech and healthcare sectors.

DTSec (DTS Cybersecurity Standard for Connected Diabetes Devices) contains a set of performance requirements to improve cybersecurity through independent expert security evaluation, reports Healthcare IT News. The tool utilizes the ISO/IEC 15408 framework to define security requirements on "smart" medical devices, as it creates "Protection Profiles" and "Security Targets." DTSec-approved labs will evaluate said devices against these requirements, and DTS will publish the names of products that pass its assurance-through-evaluation program.

“We can’t hope to raise the cybersecurity bar if we don’t know how to measure its height,” stated David Kleidermacher, chief security officer and one of the standard’s lead authors, according to Healthcare IT News.

DTS developed the cybersecurity standard with the help of a steering committee composed of experts in diabetes wireless device cybersecurity, hailing from government agencies, such as the U.S. Food and Drug Administration (FDA) and National Institutes of Health (NIH), as well as from manufacturers of diabetes devices, academia, professional organizations, patient advocacy groups, and industry stakeholders.

DTS states on its website that the DTSec standard is the organization’s contribution to efforts to beef up consensus standards and share industry best practices as mandated by Presidential Executive Order 13636, which mandates that the National Institute of Standards and Technology (NIST) improve U.S. cybersecurity infrastructure in 16 critical sectors, including healthcare/public health.

DTSec currently applies to networked life-critical devices, such as insulin pump controllers, but is envisioned to ultimately become part of other future standards applicable to non-diabetes devices.

"The tool provides a blueprint for efficient, measurable security for networked electronic products and systems in any industry," said Kleidermacher, according to Healthcare IT News.

In the DTSec paper, the group adds, "While Diabetes Technology Society has a specific mission in diabetes-related electronic products, it is the express intent of this standard’s authors that it can provide foundational work for effective cybersecurity standards across not only other medical device classes, but other connected devices and the broader “Internet of Things.”

DTS says security evaluation and certification performed under the DTSec standard shall utilize international standard ISO/IEC 15408:2009 (general framework and specification of requirements) and ISO/IEC 18045:2005 (companion document to ISO 15408, covering evaluation methodology). ISO/IEC 15408, known informally as the Common Criteria (CC), remains the only internationally accepted, generally applicable product security framework.

In the draft guidance Postmarket Management of Cybersecurity in Medical Devices, FDA enjoins device manufacturers to utilize the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity in creating "a structured and systematic comprehensive cybersecurity risk management program." Related, FDA previously issued final guidance for premarket cybersecurity management during the design stage of device development.