Chris Newmarker

August 17, 2015

4 Min Read
3 Steps to Better Protect Your Devices from Hacking

There are more reasons than ever to take medical device cybersecurity seriously. Here are three things to get you started, courtesy of GE Healthcare's product security engineering director.

Steve Abrahamson GE Healthcare

Steve Abrahamson

Chris Newmarker

FDA is focusing more on medical device network security, and so should you, says Steve Abrahamson, director of product security engineering at GE Healthcare.

Independent researcher Billy Rios recently confirmed that a Hospira infusion system could be accessed remotely through a hospital's network, allowing unauthorized user to potentially change drug dosages for patients. Even though there had been no actual instance of hacking, FDA still issued a safety communication advising health providers to stop using the Hospira Symbiq infusion system, which Hospira has already stopped making and distributing.

"That really was a big change, in that the FDA addressed an issue outside of intended use," Abrahamson said. 

Other recent stories outside the medical device space should also give medtech officials pause, including hacking concerns over Chrysler vehicles and two major security breaches of U.S. Office of Personnel Management databases that potentially compromised at least 22.1 million people's records.

"Who would worry about someone hacking into a car? You wouldn't even think of it, but it's surely a risk," Abrahamson said.

Here are three steps Abrahamson advices medical device designers to take to begin ensuring their device's security:

1. Go Through a Security Risk Management Process

A good place to start is the National Institute of Standards and Technology's 800-53 document. "We leverage that in our security process in identifying the appropriate controls to include in our products. We've customized it, though, for the specific products we have in our product portfolio. What we recommend is that other manufacturers to the same, and that also healthcare providers follow a similar process operationally," Abrahamson said.

"If you follow that process, you can address risks related to medical devices."

Such a process will guide you through such questions as how critical to patient safety a device is, the device's level of availability, and whether it houses patient records that need to be kept private.

In all cases, safety comes first and trumps other concerns such as information privacy, Abrahamson said. For example, automatically logging off users should be less frequent in more critical environments. For devices that may be used in an emergency, there should even be a "break glass" procedure so that a care provider can quickly use a device if it's needed.

2. Make Sure to Look Specifically at Privacy Risks

There are director identifiers such as name and Social Security number. But it is also important to think about indirect identifiers including age, gender, and ZIP code. "With just a few indirect identifiers, you can use that to identify an individual. ... That's something we have to be really careful of," Abrahamson said.

Combinations of identifiers in data flows are also important, and need appropriate protections in data transmission. "One of the key reasons we follow that type of process is within GE Healthcare is to force the engineering team to think about privacy risk and minimize the amount of data that is included in data flows," Abrahamson said.

"We don't want to include any type of identifiers that aren't really needed for the function of the device."

3. Assess Security Risks

Don't assume someone stealing data is an outsider, either, Abrahamson said.

"One of the biggest threat factors is the trusted insider ... someone who was given access but that person misused it.," Abrahamson said.

Users need to be kept from jerry-rigging or outright stealing of information.

It all comes down to analyzing threat factors, value of the assets contained in the medical device, and vulnerabilities, Abrahamson said. "In terms of the threat, you have to consider both internal threat actors and external threat actors."

Chris Newmarker is senior editor of Qmed. Follow him on Twitter at @newmarker.

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like