Cyber-Security Considerations for “Mission-Critical” Medical Devices

Join Our Mailing List 

Understanding the balance between new regulations (almost none) and guidance (in the form of non-binding recommendations)

By Shahid N. Shah MS

Shahid N. ShahTHEN …

In 2013, the Food and Drug Administration (FDA) issued its first cybersecurity safety communication, followed in 2014 by final guidance.

It struck a reasonable balance between new regulations (almost none) and guidance (in the form of non-binding recommendations).


In 2015, the Federal Trade Commission (FTC) released a staff report entitled Internet of Things: Privacy & Security in a Connected World, in which it recommend that Internet of Things (IoT) style devices, which of course include medical and clinical devices, need to maintain a good security posture. It’s worth noting that the FDA, FTC, and other government regulators are centering on a few key guidelines.

Six Recommendations

The following six recommendations come directly from the FTC report:

  1. Companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider:
  • Conducting a privacy or security risk assessment
  • Minimizing the data they collect and retain
  • Testing their security measures before launching their products
  1. Companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization
  2. Companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.
  3. When companies identify significant risks within their systems, they should implement a defense-in-depth approach, in which they consider implementing security measures at several levels.
  4. Companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
  5. Companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities

The FTC report and FDA guidelines are remarkably consistent. When thinking of cybersecurity and data privacy, engineers tend to think about authentication, authorization, and encryption. Those are the relatively easy topics.

*** circuit***

Mission Critical Medical Devices

For “mission-critical” medical safety devices, however, things are much more difficult and need to encompass a larger surface of questions, including but not limited to:

  • Asset Inventory: Is the device discoverable, and can it associate itself with standard IT inventory systems so that revision management, software updates, and monitoring can be automated?
  • Cyber Insurance: Does the device have enough security documentation to allow it to be insured by standard cyber insurance riders?
  • Patching: How is the firmware, operating system (OS), or application going to be patched by IT staff within hospitals (or the home for remote devices)?
  • Internal Threats: Has the device been designed to circumvent insider (hospital staff, network participants, etc.) threats?
  • External Threats: Has the device been designed to lock down the device from external threats?
  • Embedded OS Security: Is the device sufficiently hardened at the operating system level, such that no extraneous software components, which increase the attack surface, are present?
  • Firmware and Hardware Security: Are the firmware and hardware components sourced from reputable suppliers and free of state-sponsored spying?
  • Application Security: Is the Microsoft Security Development Lifecycle (SDL) or similar software security assurance process integrated into the engineering process?
  • Network Security: Have all network protocols not in use by the device been turned off so that they are not broadcasting?
  • Data Privacy: What data segmentation, logging, and auditing is being done to ensure appropriate data privacy?
  • HIPAA Compliance: Have proper steps been followed to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance?
  • FISMA Compliance: If you’re selling to the federal government, have proper steps, such as use of Federal Information Processing Standard (FIPS) certified encryption, been followed to ensure Federal Information Security Management Act (FISMA) compliance?
  • Data Loss Prevention (DLP): Is there monitoring in place to ensure data leakage outside of the device doesn’t occur?
  • Vulnerabilities: Have common vulnerabilities such as the Open Web Application Security Project (OWASP) Top 10 been reviewed?
  • Data Sharing: Are proper data sharing agreements in place to allow sharing of data across devices and networks?
  • Password Management: Are passwords hardcoded into the device or made configurable?
  • Configuration Protection: Are configuration files properly check-summed and protected against malicious changes?


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.


Mr. Shahid N. Shah is an internationally recognized healthcare thought-leader across the Internet. He is a consultant to various federal agencies on technology matters and winner of Federal Computer Week’s coveted “Fed 100″ Award, in 2009. Over a twenty year career, he built multiple clinical solutions and helped design-deploy an electronic health record solution for the American Red Cross and two web-based eMRs used by hundreds of physicians with many large groupware and collaboration sites. As ex-CTO for a billion dollar division of CardinalHealth, he helped design advanced clinical interfaces for medical devices and hospitals. Mr. Shah is senior technology strategy advisor to NIH’s SBIR/STTR program helping small businesses commercialize healthcare applications. He runs four successful blogs: At he writes about architecture issues; at he provides valuable insights on applying technology in health care; at he advises senior federal technologists; and at he gives a glimpse of HIT as an aggregator. Mr. Shah is a Microsoft MVP (Solutions Architect) Award Winner for 2007, and a Microsoft MVP (Solutions Architect) Award Winner for 2006. He also served as a HIMSS Enterprise IT Committee Member. Mr. Shah received a BS in computer science from the Pennsylvania State University and MS in Technology Management from the University of Maryland. 

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:


Product Details

Product DetailsProduct DetailsProduct Details


4 Responses

  1. Ransomware is a growth industry
    [Current news]

    “Linux ransomware rising? Linux.Encoder.1 now infects thousands of websites – Although only newly identified, Linux.Encoder.1 crypto-ransomware for Linux web servers seems to have spread rapidly.” By Liam Tung for ZDNet, November 13, 2015

    “Ransomware-as-a-service surfaces, wants 10 percent profit cut – Customer loyalty in the age of scumware.” By Team Register for The Register, November 13, 2015.

    “How Chimera changes the ransomware game – With the announcement of the new Chimera ransomware variant, what was already a large nuisance has been turned into a real threat to organisations and individuals alike.” By Chloe Green for Information Age, November 13, 2015.

    “Ransomware coming to a Mac near you – The rising cybersecurity threat to Mac users has taken another turn as Symantec published details of a ransomware proof-of-concept (POC) attack on OS X.” By Ian Murphy for Enterprise Times, November 13, 2015

    “Scary computer extortion scheme is more popular than ever – Ransomware attacks are on the rise, including a number of new scary cases. With ransomware, hackers take over your computer and won’t give you access to it, until you pay them the money they’re demanding.” By Kevin Downey for Kim Komando, November 13, 2015.

    And lastly,

    “IT Nation Panel: Ransomware Is The Biggest Challenge Facing Security Firms – Ransomware has become the most nefarious challenge for security vendors today because of the inability of existing technologies to remediate once the damage has been done, panelists at ConnectWise’s IT Nation agreed Thursday.” By Michael Novinson for, November 12, 2015, 6:39 pm EST

    Marin Kleczynski, CEO of San Jose, Calif.-based Malwarebytes says: “Ransomware is just something that you can’t clean up. It’s gotten to the point where the FBI director basically said, ‘Just pay the ransom.'”

    To hold for ransom thousands of paper records stored in metal filing cabinets the thief needs a dolly, a truck and lots of time.

    D. Kellus Pruitt DDS


  2. Eaglesoft 17 Security

    A video showing the weakness of Eaglesoft 17 Database Security.

    Justin Shafer reveals how easy it is for one to obtain passwords from EagleSoft dental EHR systems:

    D. Kellus Pruitt DDS


  3. Researchers uncover first ransomware targeting Apple Mac users

    A new PC malicious code waits three days before connecting with hackers servers.

    Unaware users may already be at risk though a fix is currently available. So, will this MAC-ATTACK continue?

    Dr. David Marcinko MBA


  4. 1 in 4 U.S. Consumers Have Had Digital Medical Information Stolen

    Accenture recently released results from their survey on healthcare data breaches. Here are some key findings from the report:

    • 1 in 4 U.S. consumers have had their digital medical information stolen.
    • Half of those who experienced a breach were victims of medical identity theft.
    • Identity theft victims had to pay $2,500 in out-of-pocket costs per incident.
    • Hospitals were the most common location for a breach, cited by 36% of victims.
    • 50% of consumers who experienced a breach found out about it themselves.
    • One-third were alerted to the breach by the organization where it occurred.

    Source: Accenture, February 20, 2017


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: