9 important steps in securing medical devices

  • April 18 2017, 4:00am EDT

Outlining the core needs of devices to enhance information security

Manufacturers of both personal and hospital-based medical devices need to ramp up the security protection they offer in their products, starting in the design phase. And healthcare organizations need to amp up the pressure on these vendors by ensuring that sufficient data protection is in place, and raising their voices if it isn’t.

What are the core requirements to ensure that devices are secure and adequately protect patients’ health information? Here are some essential protections that must be in place in devices, says Lysa Myers, security researcher at security firm ESET.

1. Design for privacy

Information security starts at the very beginning of device design, and should be thoroughly baked into the product. Both providers and manufacturers should have a thorough understanding of the seven widely adopted principles of "Privacy by Design" presented by Ann Cavoukian, the former information and privacy commissioner of Ontario.

Content Continues Below

2. Provide for data encryption

Devices need to protect data with strong encryption, both when information is being stored and when it’s in transit, such as when it’s sent via email, web or IM, or when synced with a computer.

3. Clarify data storage options

Particularly for wearable devices, users should have the ability to store tracked information locally, rather than just in the cloud.

4. Authenticate account access

Verify that users are who they say they are. It is especially important to authenticate before enabling the viewing, sharing or modification of information on implanted devices, as the consequences of misuse are significantly higher. Provide multi-factor authentication for online account access.

Content Continues Below

5. Create a fail-safe state

Errors and malfunctions happen. Devices must default to a state that maintains access to critical functionality and does not endanger users when problems occur.

6. Assume code may be used maliciously

Legitimate code may be used in a way that forces the device to execute unauthenticated code. It is vital to handle errors in a way that takes into account this possibility so that devices cannot be used maliciously.

7. Prepare for vulnerabilities

Establish and openly publish a responsible disclosure policy for vulnerability reports.

Content Continues Below

8. Prepare for breaches

Create an incident response plan so that both manufacturers and providers can react appropriately in the event of a data breach. This will both save time and allow you to choose your words wisely, in the event of an emergency.

9. Prepare for government scrutiny

The FTC and FDA are both watching the medical device space closely, so making changes now can help avoid legal problems and hefty fines down the road. The security of the healthcare industry is likely to be in the spotlight for the foreseeable future. Despite the current troubles, opportunities exist to make a significant transformation that could serve as a model of positive change for other industries, as the Internet of Things makes its way into our homes and workplaces.