Protecting Medical Devices from Data Breaches – Some Highlights from the FDA Draft Guidance

According to the Identity Theft Resource Center’s Data Breach Report, the healthcare/medical industry saw over 112,800,000 records breached in 2015 – by far the most of any industry. This translates into roughly one in every three Americans that saw their healthcare data compromised by a cybersecurity breach, numbers that may actually be much greater than that.

A recent CIO article – Why any organization can suffer a healthcare breach, and 5 tips for keeping PHI safe – shared the fact that most organizations with employees have health-related information such as workers’ compensation data or employee wellness programs stored in house. Add this to the industry breaches and the numbers might be even scarier.

So what to do?

The CIO article lists some steps to take, including:

  1. Know what PHI data you have (this goes beyond the healthcare/medical industry)
  2. De-identify data through encryption or tokenization
  3. Involve the BI team
  4. Strengthen security around data pathways between company and vendors
  5. Monitor access to data – even by privileged users

While these steps can certainly help, the article falls short of speaking to mobile devices and applications. Today, with BYOD and cloud-based applications in wide-spread use throughout the enterprise (healthcare and medical industry included) securing data becomes quite complex – regardless of the device. While falling short of business-related mobile devices, The FDA recently released draft guidance for industry and staff on Postmarket Management of Cybersecurity in Medical Devices (PDF), which highlights some key recommendations to boost data security. Needless to say all mobile device manufacturers (medical or otherwise) should heed these guidelines as a means to advance data security measures.

Some highlights of the report:

It is recommended as part of a [device] manufacturer’s cybersecurity risk management program that the manufacturer incorporates elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity (PDF) (i.e., Identify, Protect, Detect, Respond, and Recover).

Manufacturers can also enhance their postmarket detection of cybersecurity risks by incorporating detection mechanisms into their device design and device features to increase the detectability of attacks and permit forensically sound evidence capture.

Manufacturers should consider the incorporation of design features that establish or enhance the ability of the device to detect and produce forensically sound postmarket evidence capture in the event of an attack. This information may assist the manufacturer in assessing and remediating identified risks.

Manufacturers should design their devices to ensure that risks inherent in remediation are properly mitigated including ensuring that the remediation is adequate and validated, that the device designs incorporate mechanisms for secure and timely updates.

Our enterprise-level solution, Cryptanium, has two main components that can help medical device manufactures introduce the security needed to prevent malware threats like ransomware. The first is Cryptanium Secure Key Box, a white box cryptographic library that implements standard cryptographic algorithms in a way that completely hides the keys. The second is Cryptanium Code Protection, a comprehensive tool for hardening software applications on multiple platforms. These two components work together to increase security protection against these types of malware threats.

The connected world we live in today goes beyond computers and mobile devices to automobiles, home appliances and medical devices; the security solutions that we rely on need to work harder to protect the people that rely on these devices.

To read the full FDA Draft Guidance for Postmarket Management of Cybersecurity in Medical Devices, you can download it here (PDF):


Photo by Ken Jarvis.