Regulatory Moves That Could Improve Medical Device SecurityResearcher Daniel Bardenstein of CISA on Ways to Bolster Device Cybersecurity
Regulators should require that all medical device makers to include a baseline of certain cybersecurity protections in their products and to build in a feature that allows safe vulnerability scanning of their devices without disrupting their safe operation with patients, says researcher Daniel Bardenstein, a technology strategist at the Cybersecurity and Infrastructure Security Agency.
The Food and Drug Administration's current approach to cybersecurity standards is to provide "nonbinding recommendations" in guidance to device makers, Bardenstein says.
But he says that results in inconsistency among manufacturers and add that his medical device suggestions come from his research as a fellow at the Aspen Tech Policy Hub, a technology policy incubator organization, and not from his work at CISA.
"In order for a medical device to be approved by the FDA, it would at a minimum have certain common sense cybersecurity protections," Bardenstein says in an interview with Information Security Media Group.
"The idea of the baseline is not an exhaustive list. Obviously, there are many different types of medical devices with different considerations. But … regardless of what type of device … passwords should be required to be strong," he says.
Device Query Interfaces
Bardenstein says medical device makers also should be required to build into their products a "device query interface" feature that can help healthcare information security professionals leverage cybersecurity methodologies and tools, such as vulnerability scanning, to collect real-time data about their entities' medical devices without risking device malfunction with patients.
The DQI feature "would help hospital security teams better understand what devices are on their networks … that might be vulnerable to potential cyberattacks," he says.
In a statement to ISMG regarding Bardenstein's recommendations, the FDA says: "While the FDA cannot comment on the contents of the draft premarket cybersecurity guidance prior to its publication, or to the potential for future medical device cybersecurity requirements, the FDA looks forward to presenting the guidance once it is finalized and sharing the agency’s ongoing efforts to further strengthen medical device cybersecurity, in coordination with federal government agencies and the private sector, so as to meet the evolving needs of the health care and public health communities."
In the interview (see audio link below photo), Bardenstein also discusses:
- How software bills of materials help improve medical device cybersecurity;
- Top cybersecurity and other related challenges faced by medical device makers;
- Security issues involving other internet connected smart devices.
Bardenstein is a technology strategy lead at CISA and a research fellow at the Aspen Tech Policy Hub. He was previously product manager at the Defense Digital Service within the Department of Defense and led product teams at security vendors Exabeam and Palantir, building user-centric products to solve cybersecurity and national security problems.