Wireless infrastructures are complex, remarks Michael McNeil, global product security and services officer at Andover, MA–based Philips Healthcare. “Traditionally, such infrastructures have created challenges for a number of different industries, and they obviously raise a new set of challenges from a networking perspective for medical devices and facilities. When you look at the vulnerability of wireless networks and their entry points, the level of complexity is multiplied.” In a talk on May 7 at BIOMEDevice Boston focusing on “Cyber Security: Flaws in Medical Device Security Protocols that Compromise Data,” McNeil will address these complexities.
In the past, the introduction of wireless technologies in the medical device sphere usually revolved around diagnostic capabilities, according to McNeil. But when such devices began to emerge from closed networks and the need for interconnectivity arose, the focus on security increased, requiring significant changes within healthcare organizations. “We are still trying to meet and work through the challenges associated with this shift to device interconnectivity,” McNeil emphasizes.
The question of security and safety protocols and their effects on wireless infrastructures must be understood in the context of wireless infrastructures as a whole, McNeil comments. The more that the medical device industry can improve wireless authentication models, the more success it will have in increasing network segmentation of devices in medical environments around encryption protocols within the internal networks. These types of elements, he adds, will help reduce some of the attack vectors that currently exist.
But here’s the rub: To achieve wireless security, companies must begin to implement solid risk management programs. To do so, they have to start from the beginning, ensuring that risk assessment and risk management are addressed during the product development phase.
“From the manufacturers’ perspective, development processes should include testing and assessing the types of environments into which their products will be introduced so that they can implement increased security protocols in limited, impacted wireless infrastructures,” McNeil says. “By studying the environments in which their devices are used and attempting to replicate the appropriate types of risk and threat vectors from a risk-management perspective, manufacturers can improve their security protocols and recommend to the healthcare and delivery network organizations how to implement the best safety measures.”
Achieving this objective, according to McNeil, means assessing and managing risk through the entire lifecycle of a device, including how to solve maintenance issues. “If you look at the regulatory bodies and some of the premarket guidance that FDA has issued, you’ll notice that they’re looking for and expecting that manufacturers will follow this approach—a deliverable that needs to be in place.”
“As an industry overall, we’re seeing some of these coalitions come together,” McNeil remarks. Philips has begun participating with the Medical Device Innovation, Safety, and Security Consortium (MDISS) and the National Health Information Sharing and Analysis Center (NHISAC). Together with FDA, both organizations have signed a memorandum of understanding around information gathering and sharing for postmarket guidance. MDISS, whose membership includes representatives of both manufacturers and health-delivery networks, is also working with the NHISAC on putting together risk-management models—a clear example of the medical device space bringing resources together.
The medical device industry will acquire more ability to execute a good risk-assessment and risk-management framework as it brings all of the right constituents together from the ecosystem, McNeil comments. “As a result, we will be able to ensure that appropriate testing is taking place and that manufacturers are incorporating security by design into their development lifecycles. The industry will also learn how to report vulnerabilities and execute these reports to feed back into companies’ development processes.”
Bob Michaels is senior technical editor at UBM Canon. Reach him at [email protected].