9 important steps in securing medical devices
Both providers and device manufacturers must understand ways to optimize security.
Outlining the core needs of devices to enhance information security
Manufacturers of both personal and hospital-based medical devices need to ramp up the security protection they offer in their products, starting in the design phase. And healthcare organizations need to amp up the pressure on these vendors by ensuring that sufficient data protection is in place, and raising their voices if it isn’t.
What are the core requirements to ensure that devices are secure and adequately protect patients’ health information? Here are some essential protections that must be in place in devices, says Lysa Myers, security researcher at security firm ESET.
1. Design for privacy
Information security starts at the very beginning of device design, and should be thoroughly baked into the product. Both providers and manufacturers should have a thorough understanding of the seven widely adopted principles of "Privacy by Design" presented by Ann Cavoukian, the former information and privacy commissioner of Ontario.
2. Provide for data encryption
Devices need to protect data with strong encryption, both when information is being stored and when it’s in transit, such as when it’s sent via email, web or IM, or when synced with a computer.
3. Clarify data storage options
Particularly for wearable devices, users should have the ability to store tracked information locally, rather than just in the cloud.
4. Authenticate account access
Verify that users are who they say they are. It is especially important to authenticate before enabling the viewing, sharing or modification of information on implanted devices, as the consequences of misuse are significantly higher. Provide multi-factor authentication for online account access.
5. Create a fail-safe state
Errors and malfunctions happen. Devices must default to a state that maintains access to critical functionality and does not endanger users when problems occur.
6. Assume code may be used maliciously
Legitimate code may be used in a way that forces the device to execute unauthenticated code. It is vital to handle errors in a way that takes into account this possibility so that devices cannot be used maliciously.
7. Prepare for vulnerabilities
Establish and openly publish a responsible disclosure policy for vulnerability reports.
8. Prepare for breaches
Create an incident response plan so that both manufacturers and providers can react appropriately in the event of a data breach. This will both save time and allow you to choose your words wisely, in the event of an emergency.
9. Prepare for government scrutiny
The FTC and FDA are both watching the medical device space closely, so making changes now can help avoid legal problems and hefty fines down the road. The security of the healthcare industry is likely to be in the spotlight for the foreseeable future. Despite the current troubles, opportunities exist to make a significant transformation that could serve as a model of positive change for other industries, as the Internet of Things makes its way into our homes and workplaces.