Improving the security of diverse medical devices is a major challenge for a variety of reasons, according to security leaders at two device manufacturers, who spell out the key issues.
“Securing an implantable device is a lot more difficult than securing an X-ray machine or something that sits in a hospital network its entire lifecycle,” says Matt Russo, senior director of product security at Medtronic, in an interview with Information Security Media Group.
“It’s not a one-size-fits approach – you really need to have a unique threat modeling and risk management approach to designing security mechanisms into products and making sure they stay updated and current throughout the entire lifecycle. It’s really important to balance security and usability of those products as they’re meant for clinical application.”
But it’s not just the variety of medical devices that makes securing these products so challenging, says Ken Hoyme, director of product security of Boston Scientific, in this joint interview.
“The other aspect of diversity in our environment is the wide varying sizes of organizations – on the manufacturer and the healthcare system side,” he says. “You have large hospital systems with very sophisticated cybersecurity capabilities, and then you have smaller community hospitals with maybe one or two people on their staffs” to address security.
“You have manufacturers with multiple staff focused on cybersecurity, and you have the small start-ups that are trying to get their product on the market.”
Every stakeholder, regardless of size, plays a critical role in keeping these devices protected, the two device manufacturer executives stress.
In the interview (see audio link below photos), Russo and Hoyme discuss:
- Challenges involving legacy medical devices;
- Trends involving potential cyberattacks on medical devices;
- Tips for healthcare sector entities to improve the cybersecurity of medical devices.
Russo and Hoyme are co-chairs of a medical device cybersecurity conference to be hosted by the University of Michigan’s Archimedes Center for Medical Device Security Jan. 27-28 in New Orleans.
Russo, senior director of product security for Medtronic, is focused on the evolving device security landscape. He was previously a senior manager at the consulting firm Deloitte & Touche.
Hoyme, director of product security at Boston Scientific, has 35 years’ experience in the design of regulated safety-critical secure systems. He is past co-chair of the Association for the Advancement of Medical Instrumentation’s device security working group. Previously, he spent 18 years at Honeywell’s corporate research lab, where he was a senior fellow.