By Melissa Masters
Cybersecurity is a growing concern in all aspects of our lives. From our home computers, servers that store our credit card information and identities, and now our medical information and medical devices that we rely on to keep us healthy (and even alive in some cases) are all at risk. But, with new FDA guidance
and growing media awareness, the bar is being raised regarding the expectations for a secure device. At the same time, the opportunities for attacks by cyber criminals are increasing. Securing devices, systems, and infrastructure is a critical issue for all of our safety and the challenges here are great.
The CIA of Security
The focus of developing a secure medical device is called the “CIA” of security:
Confidential: We must ensure that our data is confidential.
Integrity: We must ensure that our data and our devices maintain their integrity.
Available: Our devices must be available when needed.
Every day, companies design and develop robust devices. But are they looking at the security of their device and the data it generates or uses? That emerging focus will become a greater priority as FDA guidance is finalized.
As more data is stolen
and systems are compromised and held for ransom, clinics and hospitals are raising the bar as well. Hospitals' IT specialists and procurement professionals are asking manufacturers for information to ensure that their device was designed securely and will remain secure when it is deployed in their network.
An Internet technology director of a large hospital system recently told me, “We know we are in a hole, we don’t want to make it worse.” The possibility of a medical device causing physical harm exists. However, data theft or ransom is a more immediate threat. All threats need to be addressed now.
How can this challenge be met? Recently, I have participated in several conferences and working groups focused on cybersecurity for medical devices. Here’s how we should address this challenge:
- First, great people are working to help in this space. Cybersecurity experts, medical device manufacturers, human factors experts, infrastructure experts and hospital’s internet technology specialists and procurement professionals are focused on a common goal.
- Second, companies are beginning to think about cybersecurity from the beginning. It took time for companies to integrate proper human factors experts and processes up front and the same will be true for designing a secure device. In the end, both practices produce better devices.
- Third, it will take time! Medical devices have a five- to 15-year life cycle. Devices themselves take three to five years to design and develop. This natural evolution of newer, more secure devices will take years.
Internet of Things to Come
The promise of things to come in the future is exciting. The future is about connecting, being more integrated and making smarter decisions regarding our health and well-being. Disconnecting our devices is a hasty response and is not the answer. Making smarter choices up front, utilizing cybersecurity experts, and being attentive to this emerging effort is the path forward.
Melissa Masters is the director of electrical, software and systems engineering at Battelle.
[image via FreeDigitalPhotos.net]