MD+DI Online is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Wireless Security: A Work in Progress

The keys to developing secure wireless infrastructures in the medical device industry are implementing solid risk-assessment and risk-management programs.

Bob Michaels

Wireless infrastructures are complex, remarks Michael McNeil, global product security and services officer at Andover, MA–based Philips Healthcare. “Traditionally, such infrastructures have created challenges for a number of different industries, and they obviously raise a new set of challenges from a networking perspective for medical devices and facilities. When you look at the vulnerability of wireless networks and their entry points, the level of complexity is multiplied.” In a talk on May 7 at BIOMEDevice Boston focusing on “Cyber Security: Flaws in Medical Device Security Protocols that Compromise Data,” McNeil will address these complexities.

In the past, the introduction of wireless technologies in the medical device sphere usually revolved around diagnostic capabilities, according to McNeil. But when such devices began to emerge from closed networks and the need for interconnectivity arose, the focus on security increased, requiring significant changes within healthcare organizations. “We are still trying to meet and work through the challenges associated with this shift to device interconnectivity,” McNeil emphasizes.

The question of security and safety protocols and their effects on wireless infrastructures must be understood in the context of wireless infrastructures as a whole, McNeil comments. The more that the medical device industry can improve wireless authentication models, the more success it will have in increasing network segmentation of devices in medical environments around encryption protocols within the internal networks. These types of elements, he adds, will help reduce some of the attack vectors that currently exist.

But here’s the rub: To achieve wireless security, companies must begin to implement solid risk management programs. To do so, they have to start from the beginning, ensuring that risk assessment and risk management are addressed during the product development phase.

“From the manufacturers’ perspective, development processes should include testing and assessing the types of environments into which their products will be introduced so that they can implement increased security protocols in limited, impacted wireless infrastructures,” McNeil says. “By studying the environments in which their devices are used and attempting to replicate the appropriate types of risk and threat vectors from a risk-management perspective, manufacturers can improve their security protocols and recommend to the healthcare and delivery network organizations how to implement the best safety measures.”

Achieving this objective, according to McNeil, means assessing and managing risk through the entire lifecycle of a device, including how to solve maintenance issues. “If you look at the regulatory bodies and some of the premarket guidance that FDA has issued, you’ll notice that they’re looking for and expecting that manufacturers will follow this approach—a deliverable that needs to be in place.”

In addition, risk assessments must be consistent in terms of use cases and in terms of how a companies define the threat vectors they face. If manufacturers all perform the same actions and carry out the same activities, they will be executing a critical component of a good risk-assessment and risk-management program, McNeil says. Thus, from an industry perspective, risk management and risk assessment must be viewed as an entire ecosystem, in which the players at the table include representatives from the manufacturer side, healthcare facilities, government entities, consortia, and researchers. This approach will create a closed feedback loop that can manage postmarket activities, surveillance, and identification of potential vulnerabilities that impact not only one but multiple manufacturers.

“As an industry overall, we’re seeing some of these coalitions come together,” McNeil remarks. Philips has begun participating with the Medical Device Innovation, Safety, and Security Consortium (MDISS) and the National Health Information Sharing and Analysis Center (NHISAC). Together with FDA, both organizations have signed a memorandum of understanding around information gathering and sharing for postmarket guidance. MDISS, whose membership includes representatives of both manufacturers and health-delivery networks, is also working with the NHISAC on putting together risk-management models—a clear example of the medical device space bringing resources together.

The medical device industry will acquire more ability to execute a good risk-assessment and risk-management framework as it brings all of the right constituents together from the ecosystem, McNeil comments. “As a result, we will be able to ensure that appropriate testing is taking place and that manufacturers are incorporating security by design into their development lifecycles. The industry will also learn how to report vulnerabilities and execute these reports to feed back into companies’ development processes.”

Bob Michaels is senior technical editor at UBM Canon. Reach him at [email protected].

TAGS: News
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.