Keeping Up with Medical Device Cybersecurity

NetSPI hosted three cybersecurity professionals in the medical device industry for a roundtable discussion on their top learnings from implementing medical device security programs. I had the pleasure of moderating the session and was joined by: 

• Matt Russo, Senior Security Director, Medtronic 
• Dr. Matt Weir, Principle Cyber Security Researcher, MITRE 
• Curt Blythe, Director of Product Security, Abbott 

The conversation covered core factors a medical device security program must have, the departmental structure of a security team within a medical device company, how they each approach medical device pentesting and vulnerability management, and much more.  

Security for medical devices is complex as it continually evolves alongside product innovation. The best programs bring security into the product development lifecycle from the start, with the flexibility for enhancements as new trends emerge. 

Read the highlights below or watch the webinar on-demand here. 

3 Factors of Successful Medical Device Security Programs 

Panelists agreed on these three factors to give medical device security programs the best chance of success:  

1. Executive buy-in. This is easier said than done, but dedicating effort to educating the team that influences business decisions will pay off greatly over time.  
2. Integration into quality assurance. When talking about baking security into the product development lifecycle, this is one tangible way to do so. The clinical process for medical devices is well-established. Steps for security must be intentional and agreed-upon to create consistent protocols in medical device design.  
3. Internal and external partnerships. Security is a business enabler because it reduces the risk of adverse events that could affect an organization. The more security is embedded into the medical device process, the more empowered a team becomes to move faster in a safe manner. 
   
   On the external partnerships side, many industry organizations have collected input and developed research to help organizations embrace security in medical devices. Leaning on these associations and the educational content they publish is akin to a cheat sheet for medical device security.  

This list isn’t exhaustive, but it’s a grounding step toward creating a strong strategy for medical device security. 

Lean on External Partners for Medical Device Cybersecurity Education 

Our panelists mentioned several industry organizations and common frameworks they’ve created to help share collective knowledge across the industry. These organizations are a good place to start when designing a medical device security program: 

1. Medical Device Innovation Consortium (MDIC)  
2. Information Sharing and Analysis Centers (ISACs) 
3. Health Sector Coordinating Council (HSCC) 
4. International Medical Device Regulators Forum (IMDRF) 

Bring leadership along in this education journey! Matt Russo recommends monitoring what’s happening in your industry at the legislative level and relaying it back to the company to let your team know what’s coming. This helps show value early on to help influence team buy-in. 

Are you keeping tabs on the recently passed omnibus bill? According to a report from Health IT Security, within its 4,000 pages, you’ll find “language that would require medical device manufacturers to ensure that their devices meet select cybersecurity requirements.” Listen to the panelists discuss the package, and more on medical device security compliance, starting at 23:55.

Learn more about Medical Device Penetration Testing

How Security Teams are Structured within Medical Device Departments 

The structure of a security team within an organization depends on the size of the company. As companies grow, the size of security teams does too, resulting in more specialized roles within the department. On the other hand, medical device manufacturers may have a single cybersecurity person on the team responsible for integrating security measures into the clinical process.  

One commonality in both of these scenarios is that the security team is a centralized function that works with all individualized divisions. This avoids multiple people doing the same type of work and aids a consistent process organization-wide. 

If You Knew Then What You Know Now… What Would You Do Differently? 

Experience is the best teacher. Panelists shared what they would do differently if they were starting over with a medical device security program. 

1. Dr. Matt Weir: Understand that the clinical environment has a steep learning curve for people with traditional cybersecurity backgrounds.  
2. Matt Russo: Push harder on internal education to equip non-technical leaders with the knowledge needed for buy-in. Move faster on best practices without needing legislation to drive the changes. 
3. Curt Blythe: Build in a strategy from the start to update medical devices in the field as they transition from a single device to connected devices through IoT. 

Bookmark Now, Watch Later: Medical Device Security Webinar 

Keep growing your knowledge in med device security by watching the roundtable discussion with Dr. Weir, Matt, and Curt. Their industry expertise and perspectives on trending topics such as the omnibus bill, updatability, and IoMT give anyone learning about med device security ideas on how to move their programs forward. 

Explore NetSPI’s medical device pentesting or watch the webinar on demand.