By Shahid Shah, president & CEO, Netspective Communications
Follow me on Twitter @ShahidNShah
In 2013, the Food and Drug Administration (FDA) issued its first cybersecurity safety communication, followed in 2014 by final guidance. While it took the agency much longer to focus on cybersecurity than many of us would have liked, I think it struck a reasonable balance between new regulations (almost none) and guidance (in the form of nonbinding recommendations).
Earlier this year, the Federal Trade Commission (FTC) released a staff report entitled Internet of Things: Privacy & Security in a Connected World, in which it recommend that Internet of Things (IoT) style devices, which of course include medical and clinical devices, need to maintain a good security posture. It’s worth noting that the FDA, FTC, and other government regulators are centering on a few key guidelines. The following six recommendations come directly from the FTC report:
- Companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider:
- Conducting a privacy or security risk assessment
- Minimizing the data they collect and retain
- Testing their security measures before launching their products
- Companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization
- Companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.
- When companies identify significant risks within their systems, they should implement a defense-in-depth approach, in which they consider implementing security measures at several levels.
- Companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
- Companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities
The FTC report and FDA guidelines are remarkably consistent. When thinking of cybersecurity and data privacy, we tend to think about authentication, authorization, and encryption. Those are the relatively easy topics. For safety-critical devices, however, things are much more difficult and need to encompass a larger surface of questions, including but not limited to:
- Asset Inventory: Is the device discoverable, and can it associate itself with standard IT inventory systems so that revision management, software updates, and monitoring can be automated?
- Cyber Insurance: Does the device have enough security documentation to allow it to be insured by standard cyber insurance riders?
- Patching: How is the firmware, operating system (OS), or application going to be patched by IT staff within hospitals (or the home for remote devices)?
- Internal Threats: Has the device been designed to circumvent insider (hospital staff, network participants, etc.) threats?
- External Threats: Has the device been designed to lock down the device from external threats?
- Embedded OS Security: Is the device sufficiently hardened at the operating system level, such that no extraneous software components, which increase the attack surface, are present?
- Firmware and Hardware Security: Are the firmware and hardware components sourced from reputable suppliers and free of state-sponsored spying?
- Application Security: Is the Microsoft Security Development Lifecycle (SDL) or similar software security assurance process integrated into the engineering process?
- Network Security: Have all network protocols not in use by the device been turned off so that they are not broadcasting?
- Data Privacy: What data segmentation, logging, and auditing is being done to ensure appropriate data privacy?
- HIPAA Compliance: Have proper steps been followed to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance?
- FISMA Compliance: If you’re selling to the federal government, have proper steps, such as use of Federal Information Processing Standard (FIPS) certified encryption, been followed to ensure Federal Information Security Management Act (FISMA) compliance?
- Data Loss Prevention (DLP): Is there monitoring in place to ensure data leakage outside of the device doesn’t occur?
- Vulnerabilities: Have common vulnerabilities such as the Open Web Application Security Project (OWASP) Top 10 been reviewed?
- Data Sharing: Are proper data sharing agreements in place to allow sharing of data across devices and networks?
- Password Management: Are passwords hardcoded into the device or made configurable?
- Configuration Protection: Are configuration files properly checksummed and protected against malicious changes?
After spending many years working on cybersecurity in the government technology, connected medical device, financial services, and digital health sectors, it’s been my experience that security is often treated as something that can be “bolted on” late in the design cycle. Cybersecurity is an emergent property of a system and not a feature or function that you can add later, as confirmed by FDA guidance and the recent FTC report.
Given the importance of security, it’s understandably going to get some attention in the engineering management and development lifecycle; however, security and data privacy should be elevated to market driver and competitive differentiator status, because they can help you market your devices differently. Instead of using a checklist approach to security, consider how each of your major device functions and capabilities enhance the device’s security posture or reduce the risk of data privacy breaches. Allow certain features to be turned off by default to provide a more secure device, and then let customers turn features on later when they know they need the functionality.
Many device manufacturers will treat security as a compliance activity bolted on at the end — those designers will end up creating insecure devices that will get their customers’ data hacked or stolen, and land their customers on the front pages of newspapers. The progressive designers who don’t take a checklist approach to security and compliance and instead embed privacy, security, and safety into their product’s user-facing requirements will be far more trusted by their customers. Don’t treat security as a problem for engineers to solve. Budget and manage cybersecurity as a competitive differentiator.
Shahid Shah is an award-winning cybersecurity mentor and medical device hardware / software design coach with 25 years of technology strategy and engineering experience. You can reach him via Twitter or email.