Tips on medical device security from the product leaders’ perspective

Business News

Medical device innovations have enhanced healthcare and improved patient care, but they present a broad attack surface for healthcare organizations.

NETSpi, a security service company, hosted medical device product security experts to talk about the business and challenges of securing connected technologies in healthcare. They addressed sharing information across teams throughout the product lifecycle, building product security teams, legislative changes governing the space and strategies to increase the pipeline of talent.

Business News Where does product security sit within the enterprise?

Matt Russo, senior director of product security at Medtronic, Curt Blythe, director of product security at Abbott and Matt Weir, principal cybersecurity engineer at MITRE, all agreed that regardless of where product security teams sit, they need to be partners in product development.

Where it makes sense from a scale and efficiency perspective, there’s one team dedicated to scanning devices as a centralized function with a distributed model, Blythe said.

But the key point is embedding design and security practices into what developers do every day, which ultimately enables them to move fast, “but in a safe way.”

Russo said that at Medtronic, “You can really see that across the landscape.” 

While resource restrictions make centralized product security functions more feasible, and that generally works for Medtronic and other large organizations, he said many device companies need to look at the technical aptitude of security teams. 

Is product security just a part of what they do?

Weir noted that it’s hard to have a dedicated security team if you have a small product base. 

“The big thing though is that you do have that integration during your product development lifecycle,” he said. 

When medical device developers try to add cybersecurity later into the process, it makes it much harder to be successful, he added. 

Weir advised integrating product security as early as possible into the product lifecycle, and continuing communication as products evolve. 

Product security specialists bring visibility into systems – they can then see how the devices are being used, and are better positioned to recommend mitigations, he said. 

Business News How do you get buy-in for product security? Build a program and get executive support

Blythe said that by making leaders aware of policy changes on the horizon, you can get their buy-in.

“Tap into your government affairs organization and find out what policies are coming out and how you stay out front of what is changing,” and make sure leaders have that awareness, he said. 

“They are bought into that, right, and that can be translated down into their business and their leaders, and ultimately, they can be successful in what they are trying to do.”

Get your foot in the door by encouraging that process, Weir advised.

He noted that the Food & Drug Administration’s premarket guidance recommends threat modeling. 

“When you can actually start to solve problems and you know, get ahead of these issues, that’s when you start to realize the full buy-in to be able to do more,” said Weir.

Business News The ‘new’ legislative compliance climate for medical device security

With the passage of the 2022 Omnibus Appropriations Act, “including a rider essentially for the PATCH Act,” said Blythe, the FDA has legislative authority over medical device manufacturers. 

They need to provide a software bill of materials, show a post-marketing monitoring process with threat intelligence and maintain the security posture of devices out in customers’ hands. 

“I’ll say that none of that is really new,” said Blythe.

“All those main messages have been communicated previously,” and the omnibus just shifts FDA’s regulatory guidance to a legislative authority the agency will be looking to enforce, he said.

“It’s really tough to go ahead and actually do it,” Weir said of the SBOM. Having the ability to respond to new vulnerabilities is really important, he added.

Creating SBOMs is not a trivial task, Russo agreed. “It’s still something the industry needs to work through.”

Business News Like to tinker? Become a medical device tester

Weir said that understanding the clinical workflows are more challenging than the cybersecurity aspects of medical device development.

While there are now more certifications than ever, Russo said the personality for the job of product security is the “tinkerer.” 

The key difference with the product security function is, “We want to break what the engineers build, right? We want to see how we can make it fail or how we can break apart what they’ve done,” he said, adding that whether it’s through threat modeling or penetration testing, product security specialists are partners in product development.

They want to “feed that [information] back into the system, so it can be built back up better” and give that knowledge to the engineers that want to be the builders. 

Andrea Fox is senior editor of Healthcare IT News.
Email: af**@***ss.org

Healthcare IT News is a HIMSS Media publication.

Jeremy Petch will offer more detail at the HIMSS23 session “Opening the Black Box: Promise and Limitations of Explainable AI.” It’s scheduled for Wednesday, April 19 at 10 a.m. – 11 a.m. CT at the South Building, Level 5, room S503.

Read More
Elroy Badon

Latest

Will Spain keep finding a way? Re-ranking the World Cup teams with six games remaining – The Athletic – The New York Times

Forty-eight teams started these World Cup finals a month ago — now only six remain. Tomorrow that will be whittled down to a final four. Morocco became the first quarter-finalists to be knocked out, losing 2-0 to the seemingly unstoppable France on Thursday, before brave Belgium finally succumbed to Spain in Los Angeles on Friday

Erling Haaland is Norway’s World Cup machine — and the internet’s ‘babygirl’ – AP News

Erling Haaland stands at 6 feet, 5 inches, an intimidating force who can make fellow soccer players look tiny in stature and talent. Scoring seven goals across four World Cup matches entering Saturday, the Norwegian player has been described as a machine. But if you ask some loyal new fans, he’s also a babygirl and

Woody Marks and 5 fantasy football sleepers trending toward a much bigger role

One way to get an edge in fantasy football? By keeping a close eye on offseason chatter. Which players are impressing reporters in OTAs? Which roster battles could go a different way than the average fan expects? Which rookie is going to end up rocketing up draft boards by August? These five players are fairly

Matt Miller Announces Indefinite Leave From ESPN Amid Investigation Over Alleged Fantasy Football Fraud

On June 23, ESPN NFL Draft analyst Matt Miller revealed that he was in a car crash and was brutally injured. The accident nearly caused him to lose his life, as his arm had to be amputated to keep him alive. Now that he is making his way back after a drastic change, Miller announced

Newsletter

Don't miss

Will Spain keep finding a way? Re-ranking the World Cup teams with six games remaining – The Athletic – The New York Times

Forty-eight teams started these World Cup finals a month ago — now only six remain. Tomorrow that will be whittled down to a final four. Morocco became the first quarter-finalists to be knocked out, losing 2-0 to the seemingly unstoppable France on Thursday, before brave Belgium finally succumbed to Spain in Los Angeles on Friday

Erling Haaland is Norway’s World Cup machine — and the internet’s ‘babygirl’ – AP News

Erling Haaland stands at 6 feet, 5 inches, an intimidating force who can make fellow soccer players look tiny in stature and talent. Scoring seven goals across four World Cup matches entering Saturday, the Norwegian player has been described as a machine. But if you ask some loyal new fans, he’s also a babygirl and

Woody Marks and 5 fantasy football sleepers trending toward a much bigger role

One way to get an edge in fantasy football? By keeping a close eye on offseason chatter. Which players are impressing reporters in OTAs? Which roster battles could go a different way than the average fan expects? Which rookie is going to end up rocketing up draft boards by August? These five players are fairly

Matt Miller Announces Indefinite Leave From ESPN Amid Investigation Over Alleged Fantasy Football Fraud

On June 23, ESPN NFL Draft analyst Matt Miller revealed that he was in a car crash and was brutally injured. The accident nearly caused him to lose his life, as his arm had to be amputated to keep him alive. Now that he is making his way back after a drastic change, Miller announced

Garrett Nussmeier’s QB Brother Receives Upsetting News on Football Career

Colton Nussmeier has run out of options to fix his eligibility for 2026. On July 9, the UIL State Executive Committee voted 4–1 to reject his appeal, a decision first shared by 247Sports’ Mike Roach. With that, his plan to play his senior season at Denton Ryan is over. The door at his old school

Breitbart Business Digest: Stacking Those $250 Trump Bills

Weekly Wrap: Making It Rain with Trump Bills Welcome back to Friday! This is the Breitbart Business Digest weekly wrap, our septidialogic sweep through the economic and financial news. This week the economy failed to get indigestion from the high price of gas, Treasury Secretary Scott Bessent told us about getting fed at the Fed, Trump

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity