HDM-041817-device.jpg
Outlining the core needs of devices to enhance information security
Manufacturers of both personal and hospital-based medical devices need to ramp up the security protection they offer in their products, starting in the design phase. And healthcare organizations need to amp up the pressure on these vendors by ensuring that sufficient data protection is in place, and raising their voices if it isn’t.

What are the core requirements to ensure that devices are secure and adequately protect patients’ health information? Here are some essential protections that must be in place in devices, says Lysa Myers, security researcher at security firm ESET.
1. HDM April 13 AdobeStock_39604566.jpeg
1. Design for privacy
Information security starts at the very beginning of device design, and should be thoroughly baked into the product. Both providers and manufacturers should have a thorough understanding of the seven widely adopted principles of "Privacy by Design" presented by Ann Cavoukian, the former information and privacy commissioner of Ontario.
2. HDM April 13 AdobeStock_97555733.jpeg
2. Provide for data encryption
Devices need to protect data with strong encryption, both when information is being stored and when it’s in transit, such as when it’s sent via email, web or IM, or when synced with a computer.
3. HDM April 13 AdobeStock_89127696.jpeg
3. Clarify data storage options
Particularly for wearable devices, users should have the ability to store tracked information locally, rather than just in the cloud.
4. HDM April 13 AdobeStock_101562282.jpeg
4. Authenticate account access
Verify that users are who they say they are. It is especially important to authenticate before enabling the viewing, sharing or modification of information on implanted devices, as the consequences of misuse are significantly higher. Provide multi-factor authentication for online account access.
5. HDM April 13 AdobeStock_92656129.jpeg
5. Create a fail-safe state
Errors and malfunctions happen. Devices must default to a state that maintains access to critical functionality and does not endanger users when problems occur.
6. HDM April 13 AdobeStock_92648791.jpeg
6. Assume code may be used maliciously
Legitimate code may be used in a way that forces the device to execute unauthenticated code. It is vital to handle errors in a way that takes into account this possibility so that devices cannot be used maliciously.
7. HDM April 13 AdobeStock_102579719.jpeg
7. Prepare for vulnerabilities
Establish and openly publish a responsible disclosure policy for vulnerability reports.
8. HDM April 13 AdobeStock_84707987.jpeg
8. Prepare for breaches
Create an incident response plan so that both manufacturers and providers can react appropriately in the event of a data breach. This will both save time and allow you to choose your words wisely, in the event of an emergency.
9. HDM April 13 AdobeStock_72963120.jpeg
9. Prepare for government scrutiny
The FTC and FDA are both watching the medical device space closely, so making changes now can help avoid legal problems and hefty fines down the road. The security of the healthcare industry is likely to be in the spotlight for the foreseeable future. Despite the current troubles, opportunities exist to make a significant transformation that could serve as a model of positive change for other industries, as the Internet of Things makes its way into our homes and workplaces.