How to securely deploy medical devices

In the wake of the Food and Drug Administration (FDA) issuing both “premarket” (2014) and “postmarket” (2016) guidance for improving security in the development and manufacture of connected medical devices, the Open Web Application Security Project (OWASP) has released a set of best practices for the secure deployment of those devices.

As the report’s author and project leader, Christopher Frenz, puts it, “a medical device with all the security features in the world will not stand up to an attack if it is deployed in an insecure manner.”

Frenz, also director of IT infrastructure at Interfaith Medical Center, said the “OWASP Medical Device Deployment Standard,” released last month, was not coordinated with the FDA, but is designed to be “complementary” to its guidance.

The document includes 32 recommendations grouped into seven categories:

• Purchasing controls
• Perimeter defenses
• Network security controls
• Device security controls
• Interface and central station security
• Security testing
• Incident response

The first category includes recommendations for rigorous evaluation of security and privacy standards built into any device before it is purchased.

That could make improving security a long process, since obviously many organizations could have dozens to hundreds of legacy devices, designed to last a decade or more, that don’t meet modern best-practice standards.

Indeed, as the report’s introduction states: “Many medical devices were engineered with patient safety and life saving as the sole functions of the device, and little attention was traditionally paid to the security of these devices.”

The result, as widely reported, is that, “many medical devices (are) rife with security vulnerabilities.”

But Frenz said the deployment standard, “can serve as compensating controls for such devices. One example is the use of network isolation of a potentially insecure device, which lessens the chance of compromise and helps to mitigate the damage a successful compromise can cause,” he said.

The report also acknowledges that while it would be ideal for all devices to be, “fully denied access to anything external,” the reality is that in many cases those devices need external access for updates, to transmit data to cloud-hosted medical records systems, and to transmit data to third-party services, such as radiology reading, for assessments.

So, among perimeter defenses, the report calls for firewalls, a network intrusion detection system and a proxy server/web filter.

+ RELATED: Hospital devices left vulnerable, leave patients at risk +

Under network security controls, it calls for limiting communications as much as possible. “All medical devices should be on an isolated network segment that restricts communication … to just the systems required for the device to function,” it said.

The network should also have the capability to detect anomalous activity. “For example, a high occurrence of failed login attempts on a device or even a high occurrence of successful logins across a large number of devices (outside of scheduled maintenance) may be indicative of an attack from IoT malware like Mirai,” the report said.

And when it comes to the devices themselves, organizations should do the obvious – make sure they are configured properly and that all available patches and updates are installed.

Frenz said he knows not all organizations will have the time or money to comply with every item on the list, but said OWASP’s overall goal is to raise awareness.

He said organizations can start with risk assessments of their current device deployments, “and identify the controls in the standard that would best help mitigate the most serious risks they identified.”