Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Medical Device Security: Creating an InventoryDale Nordenberg Describes New Efforts to Keep Track of Devices
The challenges involved with tracking and managing the enormous number of diverse medical devices used in large healthcare entities contributes to the security risks posed by these products, says Dale Nordenberg, M.D., executive director of the Medical Device Innovation Safety and Security Consortium.
"The lifecycle of devices is such that many devices are in environments for decades," Nordenberg notes in part one of a two-part interview with Information Security Media Group. Healthcare entities, including those that have undergone mergers and acquisitions over the years, are "struggling with the diversity of the devices," he adds.
The creation of sophisticated inventory systems is critical to effectively dealing with the cybersecurity of thousands of devices, Nordenberg stresses.
"The ability to create high-quality inventories [including] granular data about each device and the characteristics inherent in the device - and the way they connect to the network - is a very big challenge," he says.
Collecting detailed information pertaining to the potential security issues about each medical device in use at their facilities is complicated by the fact that many manufacturers don't easily make this information available, he says. To help address the problem, MDISS - a not-for-profit consortium aimed at improving the security of medical devices throughout their lifecycles - worked with the National Health Information Sharing and Analysis Center to co-launch a Medical Device Security Information Sharing Council. Now, manufacturers and healthcare entities can report device vulnerabilities to the new council, he notes.
"The tools that we've built allow crowdsourcing so one healthcare system can do an assessment, collect detailed information about the device, [such as] the ports it requires, different kinds of communication protocols it can leverage, [and] whether or not the device can do encryption," he says.
In the interview (see audio player below photo), Nordenberg also discusses:
- Top cybersecurity technical challenges involved with medical devices;
- The varying levels of difficulty in securing some medical devices;
- Other tips for securing the vast array of medical devices used within healthcare organizations.
In part two of this interview, Nordenberg discusses why medical device cybersecurity needs to be tackled as a "public health" challenge.
In addition to his role leading the MDISS consortium, Nordenberg, a pediatrician, is CEO of the consulting firm Novasano Health and Science. He's a member of the Health IT Standards Committee of the Department of Health and Human Services' Office of the National Coordinator for Health IT as well as the FDA's National Evaluation System for Technology Planning Board. He also co-chairs the recently launched Medical Device Security Information Sharing Council for the NH-ISAC.