MEDICAL DEVICES: Special Considerations

Posted on April 6, 2025 by Dr. David Edward Marcinko MBA MEd CMP™

By Staff Reporters

***

***

INFORMATION TECHNOLOGY CONSIDERATIONS FOR MEDICAL DEVICES

In 2013, the Food and Drug Administration (FDA) issued its first cybersecurity safety communication, followed in 2014 by final guidance. It struck a reasonable balance between new regulations (almost none) and guidance (in the form of non-binding recommendations).

In 2015, the Federal Trade Commission (FTC) released a staff report entitled Internet of Things: Privacy & Security in a Connected World, in which it recommend that Internet of Things (IoT) style devices, which of course include medical and clinical devices, need to maintain a good security posture. It’s worth noting that the FDA, FTC, and other government regulators are centering on a few key guidelines. The following recommendations come directly from the FTC report.

Companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider:

  • Conducting a privacy or security risk assessment
  • Minimizing the data they collect and retain
  • Testing their security measures before launching their products
  • Companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization
  • Companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.
  • When companies identify significant risks within their systems, they should implement a defense-in-depth approach, in which they consider implementing security measures at several levels.
  • Companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
  • Companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities

According to colleague Shahid N. Shah MS, the FTC report and FDA guidelines are remarkably consistent. When thinking of cybersecurity and data privacy, engineers tend to think about authentication, authorization, and encryption. Those are the relatively easy topics. For safety-critical devices, however, things are much more difficult and need to encompass a larger surface of questions, including but not limited to:

  • Asset Inventory: Is the device discoverable, and can it associate itself with standard IT inventory systems so that revision management, software updates, and monitoring can be automated?
  • Cyber Insurance: Does the device have enough security documentation to allow it to be insured by standard cyber insurance riders?
  • Patching: How is the firmware, operating system (OS), or application going to be patched by IT staff within hospitals (or the home for remote devices)?
  • Internal Threats: Has the device been designed to circumvent insider (hospital staff, network participants, etc.) threats?
  • External Threats: Has the device been designed to lock down the device from external threats?
  • Embedded OS Security: Is the device sufficiently hardened at the operating system level, such that no extraneous software components, which increase the attack surface, are present?
  • Firmware and Hardware Security: Are the firmware and hardware components sourced from reputable suppliers and free of state-sponsored spying?
  • Application Security: Is the Microsoft Security Development Lifecycle (SDL) or similar software security assurance process integrated into the engineering process?
  • Network Security: Have all network protocols not in use by the device been turned off so that they are not broadcasting?
  • Data Privacy: What data segmentation, logging, and auditing is being done to ensure appropriate data privacy?
  • HIPAA Compliance: Have proper steps been followed to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance?
  • FISMA Compliance: If you’re selling to the federal government, have proper steps, such as use of Federal Information Processing Standard (FIPS) certified encryption, been followed to ensure Federal Information Security Management Act (FISMA) compliance?
  • Data Loss Prevention (DLP): Is there monitoring in place to ensure data leakage outside of the device doesn’t occur?
  • Vulnerabilities: Have common vulnerabilities such as the Open Web Application Security Project (OWASP) Top 10 been reviewed?
  • Data Sharing: Are proper data sharing agreements in place to allow sharing of data across devices and networks?
  • Password Management: Are passwords hardcoded into the device or made configurable?
  • Configuration Protection: Are configuration files properly check-summed and protected against malicious changes?

ASSESSMENT

It is vital to perform a security assessment on a healthcare practice to understand the environment, identify risks and perform risk mitigation. A one-time security assessment with risk mitigation is not sufficient in 2025. This is a continuous process that needs to be performed religiously to maintain a secure and compliant practice.

COMMENTS APPRECIATED

Refer, Like and Subscribe

***

***

Filed under: "Ask-an-Advisor", Experts Invited, Funding Basics, Glossary Terms, Health Law & Policy, Information Technology, Insurance Matters, Research & Development | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment »

EMOTIONAL INTELLIGENCE: How EQ Can Make You a Better Investor

Posted on April 6, 2025 by Dr. David Edward Marcinko MBA MEd CMP™

By Vitaliy Katsenelson CFA

***

***

How Emotional Intelligence Can Make You a Better Investor. You can also listen to a professional narration of this article on iTunes & online.
Your knee hurts, so you pay a visit to your favorite orthopedist. He smiles, maybe even gives you a hug, and then tells you: “I feel your pain. Really, I do. But I don’t treat left knees, only right ones. I find I am so much better with the right ones. Last time I worked on a left knee, I didn’t do so well.”

Though many professionals — doctors as well as lawyers, architects and engineers — get to choose their specializations, they rarely get to choose the problems they solve. Problems choose them. Investors enjoy the unique luxury of choosing problems that let them maximize the use of not just their IQ but also their EQ — emotional intelligence.

Let’s start with IQ. Our intellectual capacity to analyze problems will vary with the problem in front of us. Just as we breezed through some subjects in college and struggled with others, our ability to understand the current and future dynamics of various companies and industries will fluctuate as well. This is why we buy stocks that fall within our sphere of competence. We tend to stick with ones where our IQ is the highest.

Though we usually think about our capacity to analyze problems as being dependable and stable over time, it isn’t. It might be if we were characters from Star Trek, with complete control over our emotions, like Mr. Spock, or who lacked emotions, like Lieutenant Commander Data. This is where our EQ comes in.

I am not a licensed psychologist, but I have huge experience treating a very difficult patient: me. And what I have found is that emotions have two troublesome effects on me. First, they distort probabilities; so even if my intellectual capacity to analyze a problem is not impacted, my brain may be solving a distorted problem. Second, my IQ is not constant, and my ability to process information effectively declines under stress. I either lose the big picture or overlook important details. This dilemma is not unique to me; I’m sure it affects all of us to various degrees.

The higher my EQ with regard to a particular company, the more likely that my IQ will not degrade when things go wrong (or even when they go right). There is a good reason why doctors don’t treat their own children: Their ability to be rational (properly weighing probabilities) may be severely compromised by their emotions.

A friend of mine who is a terrific investor, and who will remain nameless though his name is George, once told me that he never invests in grocery store stocks because he can’t be rational when he holds them. If we spent some Freudian time with him, we’d probably discover that he had a traumatic childhood event at the grocery store (he may have been caught shoplifting a candy bar when he was eight), or he may have had a bad experience with a grocery stock early in his career. The reason for his problem is irrelevant; what is important is that he has realized that his high IQ will be impaired by his low EQ if he owns grocery stocks.

There is no cure for emotions, but we can dramatically minimize the impact they have on us as investors by adjusting our investment process. First and foremost, investors have the incredible advantage of picking domains where they can remain rational.

To be a successful investor, you don’t need Albert Einstein’s IQ (though sometimes I wish I had Spock’s EQ). Warren Buffett undoubtedly has a very high IQ, but even the Oracle of Omaha chooses carefully his battles; for instance, he doesn’t invest in technology stocks.

Investors have the luxury of investing only in stocks for which both their IQ and EQ are maximized, because there are tens of thousands of stocks out there to choose from, and they need just a few dozen.

Meanwhile, I hope when I go see the doctor, he will tell me, “I don’t do left knees,” because the best result will come from a doctor who while treating me will utilize both IQ and EQ.

COMMENTS APPRECIATED

Refer and Subscribe

***

***

Filed under: "Ask-an-Advisor", Ethics, Experts Invited, Financial Planning, Glossary Terms, Investing, mental health | Tagged: , , , , , , , , , , , | Leave a comment »