Here are our key take-aways from the day to help improve your cybersecurity strategy:
It’s crucial that we spend time building security into our products from the start of development. Dr Stephen Pattison, chair of the IoT security foundation, draw an analogy with the ‘three little pigs’ tale; the third pig in the brick house remained safe from the wolf because he put time and effort into building a sturdier home from the beginning. It is dangerous to treat security as an add-on feature of a product in development, and if we don’t consider the potential threats, and mitigate those risks early on in the process, we may find ourselves exposed to problems further down the line.
The digital world, and its threats, are ever-changing and developing. Allowing for security updates of a product post-sale is thus an excellent way to promote the security of the product throughout its lifetime, increasing the longevity of the device. Deploying a security patch is rarely straightforward, especially in the healthcare industry where meeting regulations and securing approval can be time consuming and costly. Regulators have recognised this challenge and the FDA has subsequently simplified the process of applying security patches for post-market management of cybersecurity.
There are many security researchers who are constantly looking for security vulnerabilities in products and sharing their findings. As a responsible device manufacturer, it is important to provide a way for researchers to report any vulnerabilities they discover – for example, via a webpage or email address. However, handling findings can quickly become complicated. Whilst ignoring them is out of the question, publishing them openly would expose all security vulnerabilities to the public and in turn exacerbate the security risk of a product.
The issue of how to coordinate security disclosure was raised numerous times throughout the conference. ‘Responsible disclosure’ is a model for vulnerability disclosure in which a vulnerability or issue discovered in a product is disclosed to the general public only after a period of time. This allows time for developers and manufacturers to address the issue first.
The FDA and DHS agencies have worked together on many aspects of medical device cybersecurity, most notably around the coordination of vulnerability disclosures. They have helped medical device manufacturers receive technical information from cybersecurity researchers – regarding identified vulnerabilities in their products – in a way that enables all parties to respond to potential threats in a timely manner.
Though still young, IoT is a fast-growing and extensive domain, and we are seeing more and more regulation being implemented.
California state has passed a law banning any pre-installed and hard-coded default passwords in internet-enabled devices. As per the ‘Information Privacy – Connected Devices’ bill, from 2020 all devices built and sold in the state must have a unique password from manufacture. The legislation has been brought in to tackle distributed denial-of-service (DDoS) attacks, which rely on basic default passwords which aren’t changed by the user.
Across the Atlantic, the UK is also gearing up for new laws on IoT security, following the ‘Secure by Design’ code of practice launched in October 2018. Government plans include legislation to impose a labelling system to indicate the level of security of devices; retailers will only be able to sell products with a sufficient level of IoT security, as indicated by its label. Devices will thus have to conform to the requirements set out in the 2018 voluntary code of practice, in order to be successful on the market.
Whilst the standards for IoT security are far from complete, there are expectations of further regulations, particularly from NISD and CSF, in the near future.
We’re working in a connected world where the risk agenda is constantly changing and events can quickly snowball. A wait-and-see approach to cybersecurity issues is not an option. We need to see the security aspect of product design and development not as an add-on feature, nor a burden. Instead, let’s view it as an important investment; addressing security early WILL save financial and reputational cost in the future.
Does your medical device contain cybersecurity ticking time-bombs?