How to securely deploy medical devices within a healthcare facility
The risks insecure medical devices pose to patient safety are no longer just theoretical, and compromised electronic health records may haunt patients forever.
A surgical robot, pacemaker, or other life critical device being rendered non-functional would give a whole new, and wholly undesirable, meaning to denial of service.
Malware like MEDJACK has been used to infect medical devices and use them as staging grounds to attack medical records systems. IoT ransomware is on the rise and BrickerBot has been rendering IoT devices non-functional. And as medical devices are, at heart, IoT devices, they are subject to all the same risks.
Healthcare organizations need to give consideration to these things during both the acquisition and deployment of medical devices.
They also need to think about setting up perimeter defenses, network and device security controls, interface and central station security, implementing security testing, and about setting up an incident response plan.
OWASP Secure Medical Device Deployment Standard
For those security practitioners that don’t know where to start, the recently published OWASP Secure Medical Device Deployment Standard is a good first read.
Authored by Christopher Frenz, a healthcare information security and privacy expert that specializes in a holistic approach to organizational security, the document provides a set of best practices that organizations can compare their deployments to or base their deployments on.
The project is designed to raise awareness of the various approaches healthcare organizations can take to better secure medical device deployments and in doing so not only better protect patient information, but better protect the patient.
“The OWASP project focuses on the hospital and healthcare provider side of the equation and in that way is complimentary to the more manufacturer-focused guidance recently released by the US Food and Drug Administration,” Frenz noted.
“It is also highly complementary to the Hippocratic Oath for Connected Medical Devices put forth by I Am The Calvary.”