Page 29 - Cyber Warnings
P. 29
data being handled, security and privacy must become a priority. The critical question is: how
can device manufacturers and app developers reduce the potential for data leaks?
As the demand for mobile medical devices and healthcare apps grows, the need for next-
generation tools that protect and detect application and data security vulnerabilities are a must.
In fact, already in 2014 the FDA released a guidance document containing nonbinding
recommendations for the management of cybersecurity devices, which states cybersecurity risk
management is a shared responsibility among stakeholders, including health care facilities,
patients, providers, and manufacturers of medical devices.
The FDA also states that the failure to maintain cybersecurity can result in compromised device
functionality, loss of data (medical or personal) availability or integrity, or exposure of other
connected devices or networks to security threats. Manufacturers must address cybersecurity
from the start, during the design and development stages of their medical device, as this results
in more robust and efficient mitigation of patient risks; they must also focus on every aspect of
the data path, not just on securing the actual device, but also the software-based apps that talk
to the device.
The loss of data resulting from malware is a typical threat that an application needs to
withstand. A hack can go way beyond impacting privacy, ruining corporate reputations and
impacting the bottom line – in this case, a hack can literally kill someone. In short, mobile
medical apps and associated devices that are regulated by the FDA also need to maintain their
integrity and should not depart from its specific prescribed behavior.
To lower the risk of malicious attacks and unwanted alterations of sensitive mobile apps running
in unmanaged environments, software protection best practices need to be established.
Best practices and security methods that have been used for the protection of software
applications in other industries such as Finance, Automotive and Media need to be adapted and
then adopted to prevent security breaches in the Healthcare industry and protect patient data.
Today, the U.S. FDA [1, 2] publishes nonbinding recommendations for the management of
cybersecurity for medical devices, which include the following security-related
recommendations:
1. Limit access to devices through the authentication of users, limit access to trusted users
only.
2. Require user authentication or other appropriate controls before permitting software or
firmware updates, including those affecting the operating system, applications, and anti-
malware.
3. Ensure capability of secure data transfer to and from the device, and when appropriate,
use methods for encryption.
4. Employ appropriate software/hardware protections against malicious ob-
servation/modification of medical device secrets by the device possessor.
29 Cyber Warnings E-Magazine – May 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
