David Scott is the Director of Technical Consulting at BD, where he specializes in product security, information security, security engineering, innovation, product development and research. With more than 20 years of experience in cybersecurity, Scott is a self-reported “technology junkie” while remaining a “lover of analog communication.”

What are some key barriers to medical device security that hospitals face today?

In today’s environment, we constantly need to drive a balance between functionality and security, where we mitigate against threats while meeting the clinical demand to deliver a robust, interoperable and safe product for treating patients. Three barriers come to mind, and they all involve the critical relationship between an organization and their medical device manufacturers:

1. Asset management is a major challenge today. To secure devices effectively for clinical use, organizations need to understand what those devices are and how they are operationally integrated. It’s critical to track your assets. Evolving remote support solutions, enhanced secure connectivity and increased vigilance in inventory management are all keys to improvement.

2. Another top barrier is the speed at which the threat landscape changes for medical devices and a manufacturer’s ability to anticipate and respond to these threats in real time. Organizations should evaluate their vendor’s responses to emerging threats, such as the timeliness of issuing software updates or applying patches to a device. Medical technology companies need to be agile with their development and release processes, which require time for validation and verification prior to providing an update.

3. Too often, I see manufacturers compress contractual incident response and vulnerability timeline requirements. We need to issue well-defined compensating controls and mitigations to reduce security risk. But it’s reactive: we know that proactively improving security awareness and prioritizing security hygiene from an organization-wide perspective is important. Therefore, we actively collaborate with our customers to ensure they have the necessary information to best secure their BD products.

How have the FDA’s guidelines changed BD’s approach to releasing patches and upgrades?

FDA’s pre- and post-market guidance and recommendations in the recently released Safety Action Plan are building blocks of our product security framework, which integrates product security requirements across all stages of our development lifecycle. In addition to being part of good security hygiene, routine patching and updates are critical components of complying with mandatory Quality System Regulations (QSRs) for medical devices, which require that medical device manufacturers address all risks, including cybersecurity risk. The FDA has made updates to their market guidance to make it very clear: cybersecurity for medical devices, including security patching and sustainment, is not optional.

What comprises a strong vulnerability disclosure program?

A good vulnerability disclosure program must be built on a foundation of transparency and collaboration. That means there is transparency and collaboration among healthcare providers, partners, regulatory agencies, security researchers and patients. We cannot secure what we don’t know, and no one in the medical device or healthcare ecosystems can effectively implement adequate security alone. We’re all partners in security and, therefore, we need open and constant communication to maintain a healthy partnership.

As a company, we’re committed to complete coordinated vulnerability disclosure, along with providing recommended mitigations or compensating controls within 30 days of being notified of a potential vulnerability. In addition, we believe it’s important to maintain strong partnerships with the FDA, Department of Homeland Security/ICS CERT and HHS, as well as international regulatory organizations, and to include relevant parties from those organizations in every disclosure we complete.

What advice would you give to an organization looking to secure legacy or ‘unpatchable’ medical devices?

As part of an effective plan for legacy devices, it is key to understand how many end-of-life devices customers have in their environment. It is also critical to ensure that antivirus/antimalware and other endpoint solutions are up to date and functioning properly. In some cases, isolating impacted devices through a network segmentation or virtual LAN configurations can be very effective. We’ve also found it helpful to integrate other existing intrusion detection, SIEM or SOC capabilities to maximize defenses our customers have in place. Finally, it’s important to work closely with customers to create a timely, scalable technical upgrade plan that helps them manage those legacy devices out of their infrastructure.

Why BD?

BD’s approach to product cybersecurity is straightforward: we strive to deliver solutions that are secure by design, secure in use and secure through partnership. We’re continuously improving our sustainment infrastructure to provide enhanced visibility on compliance and device health to our service teams and customers so that we can better manage the security compliance of those devices. BD focuses on software-only products and solutions, which gives our customers the ability to actively and efficiently manage much of the third-party patching and update requirements for their products.