Critical Infrastructure Security , Endpoint Security , Events

Medical Device Makers Taking a New Approach to Cybersecurity

Phil Englert of H-ISAC on Tackling Evolving Security Challenges
Phil Englert, vice president of medical device security, H-ISAC

New regulations, including those coming into effect in the U.S., are pushing many medical device makers to radically reconsider how they approach cybersecurity for their products, said Phil Englert of the Health Information Sharing and Analysis Center.

See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce

Under legislation signed into law last December, the Food and Drug Administration's recently enhanced authority over medical device cybersecurity is raising the bar on what the agency is requiring from manufacturers in the premarket of their products.

That includes submitting to the FDA details regarding a device's security controls, a plan for coordinated vulnerability disclosure and a software bill of materials. If the details are not sufficient, the FDA will automatically reject the product submission.

"The new regulatory authority that the FDA has been granted, new regulations that have been put into place in Europe that we see spreading across the globe, are going to force manufacturers to rethink how they engineer their devices, the components they select to put in them, so that they can be lower-cost to maintain but also more flexible to maintain," he said.

Englert expects some manufacturers will choose to disconnect "the device's clinical functionality from the interoperability - the connection to the outside world. That's an approach that some are taking, and that is a smart way to go."

Beginning Oct. 1, under its "refuse to accept" policy, the FDA will automatically reject medical device premarket submissions that don't include specific cybersecurity details required by the agency as spelled out under the new law.

In this video interview at the Information Security Media Group healthcare security summit in New York City, Englert also discussed:

  • Top legacy medical device challenges;
  • The most concerning cyberthreats involving medical devices;
  • H-ISAC's information and cyber intelligence-sharing activities in the healthcare sector.

Englert has over 30 years of technical and operational leadership experience in healthcare and life sciences. Prior to joining H-ISAC, he served as chief product officer for MedSec, a cybersecurity consulting and services firm that focuses on hospitals and medical device manufacturers. He previously served as global leader for medical device cybersecurity at Deloitte, where he led client engagements developing medical device security programs.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.