AMERICAS TECHNOLOGY
However, that kind of data isn’t present in security vulnerabilities, and because of that the risk-benefit discussion between patients and their doctors is not based on empirical evidence, and an alternate means of communicating the risks and benefits needs be used.
Tackling the Security Issues The significant length of time required for a patch to be released is typical in the medical device industry. While the FDA has noted releases strictly for security vulnerabilities will not be subject to the same regulatory process, it is still the responsibility of the manufacturer to ensure that any change to their system is safe and effective. In other words, the software patch that is deployed still needs to go through a rigorous process of analysis, development, verification and validation to ensure that it is operating as intended and not introducing new risks. The recent Meltdown and Spectre vulnerabilities are a great example of how patches may have adverse performance impacts (as much as 30%), and manufacturers need to perform the necessary testing to ensure all patches work appropriately. Medical device security is fundamentally about risk identification and reduction. Manufacturers need to be incorporating security risk management processes throughout their entire development lifecycle in a similar manner to how they have incorporated safety risk management. This means performing activities such as architectural risk analysis, threat modeling, automated code reviews, and security-focused testing activities. This is an issue which is broadly about healthcare and security as much as it is about patching individual devices. Many people suggest a cultural change is necessary within the healthcare industry
towards privacy, highlighted by the worrying statistics that on third of mobile medical apps have no privacy policy, one third of mobile medical apps share data with third parties, and one third of mobile medical apps do not even use encryption to protect users. If you are downloading a medical focused app, there is a significant probability that your data is going to be available for uses that you may not be aware of. Even encryption, which in the medical space should be a must-have before going to market, is missing from a large portion of apps. Consumers should understand that to get the benefit of some of the mobile medical apps, they will be losing control of their private health data. Additionally, imagine a situation where the data you unknowingly submit through a mobile application is used to link your biologic information to a potential medical disease. Should that information be communicated to you? How should it be presented? Did you even want to know if you were trending towards something that may not happen? To conclude, security can be an enabler of new healthcare models that can deliver great benefits to patients, but it also remains a source of major concerns. For patients to fully benefit, security must become a top concern for healthcare organisations.
Dan Lyon Principal Consultant Synopsys
1 “Building Security In Maturity Model | BSIMM.� Building
Security In Maturity Model | BSIMM, www.bsimm.com/.
64 | Issue 11