Critical Security Considerations for Medical DevicesNaomi Schwartz, Formerly of the FDA, Discusses Top Cyber Concerns for Devices
Too many medical device makers don't pay close attention to the fine details and features of their product designs to ensure they are safe and secure, says Naomi Schwartz, a former product reviewer at the Food and Drug Administration and current cybersecurity adviser at security firm MedCrypt.
Case in point: Bluetooth. Many device makers are adding the short-range wireless capability without carefully considering the cybersecurity risks, she says.
"When device makers solely rely on BLE secure connection or other mechanisms that are sort of industry standards, they may not realize that is not secure enough if their device has a certain risk profile," she says in an interview with Information Security Media Group. BLE is Bluetooth Low Energy.
"For a very mission-critical device, like a diabetes therapy delivery system, you need more security than BLE Secure Connect. So a lot of manufacturers are having to negotiate how to use standardized protocols and add security," she says.
Similarly, other device makers have developed a concept "that if they 'roll their own' cryptographic techniques, that they will help protect their IP and help to protect their devices," she says.
"That's a really dangerous thing to do because a 'roll your own' crypto is not going to be as well validated as a well-understood crypto technique, and you end up with something that may actually be extremely vulnerable because it's never been tested."
In the interview (see audio link below photo), Schwartz also discusses:
- The top security issues involving legacy medical devices;
- The most worrisome cyberthreats facing medical devices;
- Recommendations for how manufacturers can make their medical devices more secure and safer.
Schwartz has more than 20 years of systems engineering experience, including six years of medical device evaluation and postmarket event response while at the FDA. At MedCrypt, she consults with medical device manufacturers to assist them in meeting FDA regulatory requirements and guidelines. During her tenure at the FDA, Schwartz evaluated software, cybersecurity and interoperability for diabetes monitoring and therapeutic systems.