- Shortly after the Food and Drug Administration (FDA) offered new guidance on the security of wireless medical device radio frequencies, the Center for Internet Security (CIS) publicized a new initiative in which it aims to better secure Internet-enabled medical devices from cyber attacks. CIS sent out a request for information (RFI) to U.S. medical device manufacturers for voluntary participation in the development of medical device security benchmarks.
CIS, a not-for-profit organization, already has more than 70 free, currently-supported CIS Benchmarks in PDF format across 14 technology groups such as server operating systems (OSes), desktop OSes, databases, webservers, mobile devices and web browsers. CIS wants to build upon the FDA draft “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which included recommendations for authentication and encryption measures.
Will Pelgrin, CIS president and CEO, explained to HealthITSecurity.com that medical devices used to be just clinical devices, such as manual insulin shots and it’s only been in the recent past that those devices have become much more technology-enabled. Doctors who used to have wired devices now have wireless phones and tablets. As more devices are able to be connected to the internet, more significant attention has been placed on them.
While these new medical device enhancements are tremendous, there are certain challenges associated with them. As we learned with data and control systems when they became connected to the internet, there were concerns about vulnerabilities and how they were going to be exploited. So we wanted to be ahead of the curve. Instead of waiting for a major incident to happen, we wanted to provide guidance across the board. We all recognize that whether you’re talking about traditional medical devices or those that are a bit more proprietary relative to how these devices work and communicate with data being stored back at the home office, they perform a critical function. They need to be available 100% of the time and can’t have downtime.
Pelgrin said that Albany Medical Center has already responded to the RFI and was the first healthcare provider to take part in the project. He added that the National Health Information Sharing and Analysis Center (NH ISAC) and a large manufacturer were also in the process of getting involved.
There are ways we can better configure these devices to be as secure as possible. We’re starting with the implementation of the insulin pump, but there are other devices such as pacemakers, defibrillators and others that we’ll be moving into as well. As these devices become connected to the internet and networks, they become more than just clinical devices, they become IT systems. As we all know, the weakest node on a network can be your entry point for negative consequences that can affect those devices.
The CIS RFI ends Aug. 30, but still looking for more vendors, manufacturers and healthcare providers to take part. Its first webcast dedicated to the cause will be Sept. 5. Pelgrin said that CIS has a deadline of having its first medical device security benchmark connected to this project out by the end of this calendar year.