Healthcare IT News: Tips on Medical Device Security from the Product Leaders’ Perspective

NetSPI’s medical device security roundtable was featured in Healthcare IT News in an article recapping the virtual event. Read the preview below or read it online here.

+ + +

Medical device innovations have enhanced healthcare and improved patient care, but they present a broad attack surface for healthcare organizations.

NetSPI, a security service company, hosted medical device product security experts to talk about the business and challenges of securing connected technologies in healthcare. They addressed sharing information across teams throughout the product lifecycle, building product security teams, legislative changes governing the space and strategies to increase the pipeline of talent.

Where does product security sit within the enterprise?

Matt Russo, senior director of product security at Medtronic, Curt Blythe, director of product security at Abbott and Matt Weir, principal cybersecurity engineer at MITRE, all agreed that, regardless of where product security teams sit, they need to be partners in product development.

Where it makes sense from a scale and efficiency perspective, there’s one team dedicated to scanning devices as a centralized function with a distributed model, Blythe said.

But the key point is embedding design and security practices into what developers do every day, which ultimately enables them to move fast, “but in a safe way.”

Russo said that at Medtronic, “You can really see that across the landscape.” 

While resource restrictions make centralized product security functions more feasible, and they generally work for Medtronic and other large organizations, he said many device companies need to look at the technical aptitude of security teams.

Is product security just a part of what they do?

Weir noted that it’s hard to have a dedicated security team if you have a small product base. 

“The big thing though is that you do have that integration during your product development lifecycle,” he said. 

When medical device developers try to add cybersecurity later into the process, it makes it much harder to be successful, he added. Weir advised integrating product security as early as possible into the product life cycle, and continuing communication as products evolve. 

Product security specialists bring visibility into systems. They can then see how the devices are being used, and they are better positioned to recommend mitigations, he said. 

Continue reading at Healthcare IT News:

Discover why security operations teams choose NetSPI.