According to the Identity Theft Resource Center, the first eight months of 2016 has seen 584 total breaches with more than 20,500,000 records exposed. What’s perhaps more alarming is the fact that 58 percent of the total breaches have been in the medical/healthcare category. So that’s the bad news! The good news? The medical industry has seen significant progress delivering cutting edge medical devices such as heart monitors and implantable insulin pumps and sleep devices that automatically monitor a patient’s status, deliver potentially needed real-time treatment, and collect data that can be used by medical personnel to improve patient outcomes. The manufacturers of these medical devices can use specialized hardware and software to secure these actual devices from outside threats – malware and ransomware – but more often than not, these devices rely on applications and mobile platforms to communicate this data and other medical signals to the doctors and medical staff. These operating systems (such as Android) become the weak link or backdoor to an otherwise secure system. So that’s also the bad news! The good news? The FDA has recently released guidance designed to provide a framework for the management of cybersecurity in medical devices. The draft guidance goes into great detail, but the key points are:
- Device and application creators need to incorporate security elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity: Identify, Protect, Detect, Respond, and Recover.
- Incorporate detection mechanisms into their device design and device features to increase the detectability of attacks and permit forensically sound evidence capture.
- Design the devices to ensure that risks inherent in remediation are properly mitigated including ensuring that the remediation is adequate and validated and that the device designs incorporate mechanisms for secure and timely updates.