The Center for Internet Security (CIS) has launched a new initiative to help bolster the protection of Internet-enabled medical devices from cyber attacks.
CIS has issued a request for information (RFI) to US medical device manufacturers to invite voluntary participation in the development of security control guidelines (benchmarks) for reducing cyber risk to medical devices. CIS is a globally recognized nonprofit organization for enhancing the cyber security readiness and response of public and private sector entities.
The first of their kind, these benchmarks will provide clear recommendations on how device manufacturers should securely configure medical devices. The benchmarks are intended to build upon the Food and Drug Administration’s (FDA) draft “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”
The first benchmarks will be focused on insulin infusion pump technologies, with future benchmarks being developed for other medical devices on an ongoing basis.
Doctors and other healthcare providers are beginning to routinely access implanted medical devices (IMDs) such as insulin pumps, pacemakers and defibrillators over the Internet. This process enables doctors to manage the device and continuously monitor and even treat the patient remotely. However, these cutting edge medical advantages come with risk. As indicated in recent safety notices issued by the FDA and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), hardcoded password vulnerabilities were found in approximately 300 medical devices. These findings make clear that the risks are real and much more needs to be done to improve cyber security within the medical device industry.
“The technological advancements that enable healthcare providers to embed life-saving devices and treat patients remotely are tremendous. We must do everything we can to protect those devices and the patients who rely on them. CIS is pleased to lead this collaborative effort to develop well-defined security baselines that can help further strengthen defenses against cyber attack,” said WilliamPelgrin, CIS president and CEO.
CIS has been helping to build consensus on secure configuration settings across a range of information technologies for 13 years, and will bring this experience to assist manufacturers in developing configuration security benchmarks for their medical devices. Joining CIS in this initiative is the National Health Information Sharing and Analysis Center, a national coordinating center to help protect the nation's healthcare and public health critical infrastructure against security threats and vulnerabilities.
“Cybersecurity threats and vulnerabilities continue to represent increasing concerns for medical devices,” said Deborah Kobza, executive director of the National Health ISAC. “The Center for Internet Security’s initiative provides healthcare stakeholders with a defining voice to help protect medical device confidentiality, integrity and availability, and public health safety. The National Health ISAC is excited to help support this important initiative.”
The first healthcare provider to join in this initiative is the Albany Medical Center, a nationally recognized academic health science center.
“The medical community leverages technology to deliver top quality healthcare, research and education to our vast constituency, and the security of that technology is crucial,” said George T. Hickman, Executive Vice President and Chief Information Officer for Albany Medical Center. “I’m pleased to be a part of this collaborative effort to develop implementable guidance that will enhance the security of these devices.”
Hickman also serves as board chairman of the College of Healthcare Information Management Executives (CHIME), a national organization representing more than 1,400 healthcare chief information officers.
Center for Internet Security, CIS, cyber crime, cyber security, cyber attacks
