Navigating the Library of Medical Device Security Standards
Published On September 10, 2020
Blog Post by Nick Keys, ITRM Manager at Meditology Services
Multiple government and industry entities provide regulations and standards for securing medical devices. To date, relevant regulations and standards have not carried meaningful incentives or disincentives for providers to invest time, resources, and energy to tackle this problem.
Private industry consortia provide more prescriptive guidance, but there is no clear, concise framework or standard that is comprehensive and prescriptive enough to tackle the challenge. The result is a hodge-podge of guidance, frameworks, and tools that lacks cohesion. However, each standard and regulatory reference can be valuable inputs to medical device security programs if applied in the appropriate areas.
This blog provides a quick rundown of the most commonly cited industry standards, regulations, guidance, and alerting resources used for leading medical device security programs.
Common Medical Device Security Standards and Regulations
The diagram illustrates just a few of the many government regulations and industry standards that apply to medical devices. The following list is not exhaustive, but rather represents several of the frameworks and standards that can be leveraged for medical device security programs:
- HIPAA / HITECH provides requirements for the administrative, physical, and technical controls that can be applied to medical devices and supporting infrastructure
- The VA provides the Medical Device Protection Program (MDPP) to maintain safe and effective operations of network-connected medical devices
- The Food and Drug Administration (FDA) provides the publication “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”
- Underwriters Laboratory (UL) provides UL-2900-2-1, a standard for software cybersecurity for network-connectable products. The FDA uses UL 2900 to streamline product review for 510(k) certifications
- National Institute of Standards (NIST) provides the Common Cybersecurity Framework (CSF). Key publications include “Managing Information Security Risk: Organization, Mission, and Information System View” (NIST SP 800-39) and “Security and Privacy Controls for Information Systems and Organizations” (NIST SP 800-53)
- The NIST National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data
- Medical Device Innovation, Safety, and Security Consortium (MDISS) issues guidance to the industry on securing medical devices and associated platforms
- The International Organization for Standardization (ISO) provides ISO 80001, a set of guidelines developed by an international working group with members from the medical device industry, hospital clinical engineering staff, and IT
- The Association of Electrical Equipment and Medical Imaging Manufacturers (NEMA) provides the Manufacturer Disclosure Statement for Medical Device Security (MDS) to assist professionals responsible for security-risk assessment in the management of medical device security issues
- ANSI/AAMI/ISO 14971, Medical devices—Application of risk management to medical devices specifies a process for an OEM to identify the hazards associated with medical devices, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls
- AAMI TIR57 Principles for Medical Device Security - Risk Management provides guidance on methods to perform information security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971
- MITRE manages federally funded research and provides a playbook for medical device security
- Health Information Sharing and Analysis Center (H-ISAC) provides healthcare stakeholders a trusted community and forum for coordinating, collaborating and sharing vital physical and cyber threat intelligence and best practices with each other
- National Cybersecurity Center of Excellence (NCCOE) is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges
Medical Device Security Alerts and Monitoring
Medical device security alerts can be sourced from multiple external parties including:
- Emergency Care Research Institute (ECRI): Requires a paid membership and provides product safety and recall alerts
- The Department of Homeland Security (DHS): Provided on the ICS-CERT page are alerts and advisories. These can be filtered by OEM name. This is not an automated process for DHS to send alerts about specific devices. This is a process that organizations must take upon themselves to periodically check for alerts and advisories
- The Federal Bureau of Investigation (FBI): The FBI may make direct contact if it has information that pertains to an organization, but it is worth contacting your local field office to see about getting on a list of alerts
- H-ISAC: A healthcare-specific security information sharing and collaboration group. Note: this also requires a paid membership
- FDA: Medical Device Safety Communications, these alerts are also more of a repository and would require a manual process to review
- Manufacturer and User Facility Device Experience (MAUDE): A collection of medical device reports covering a multitude of issues. Searchable by specific product, device type or by OEM. Often events do not occur in a high enough frequency to trigger an official alert, but MAUDE can be searched to find any reports
- CORL Technologies: CORL Technologies was founded to address the need for vendor security intelligence within healthcare including medical device manufacturers and products. Delivered as a managed service and supported by an expert team of research analysts and a collaborative intelligence sharing community, CORL's Vendor Risk Management (VSRM) solutions are used alone or as part of a larger VRM program including medical device security programs. With CORL, organizations can leverage intelligence gathered from thousands of healthcare vendors and products to understand and monitor medical device vendor risk, ease compliance audits and improve executive-level communications and risk analytics reporting. CORL supports initial assessments of medical device vendors and also provides ongoing monitoring and alerting for changes to the security posture of medical device manufacturers and products
Meditology is a top-ranked healthcare security and privacy firm servicing healthcare entities of all shapes and sizes. We were designated the #1 Best in KLAS firm for 2019 and 2020 for healthcare cybersecurity advisory services.
We have extensive experience building and implementing medical device security programs at leading health systems across the country. We have also advised the federal government on medical device security and ethical hacking matters.
Contact us to learn more about how we can help you with your medical device security program needs.