Tips on medical device security from the product leaders' perspective

Abbott's Curt Blythe, Medtronic's Matt Russo and MITRE's Matt Weir discuss security across the product life cycle, how to get support from device company leadership – and how you can become a device tester.
By Andrea Fox
11:30 AM

Photo: zf L/Getty Images

Medical device innovations have enhanced healthcare and improved patient care, but they present a broad attack surface for healthcare organizations.

NetSPI, a security service company, hosted medical device product security experts to talk about the business and challenges of securing connected technologies in healthcare. They addressed sharing information across teams throughout the product lifecycle, building product security teams, legislative changes governing the space and strategies to increase the pipeline of talent.

Where does product security sit within the enterprise?

Matt Russo, senior director of product security at Medtronic, Curt Blythe, director of product security at Abbott and Matt Weir, principal cybersecurity engineer at MITRE, all agreed that, regardless of where product security teams sit, they need to be partners in product development.

Where it makes sense from a scale and efficiency perspective, there's one team dedicated to scanning devices as a centralized function with a distributed model, Blythe said.

But the key point is embedding design and security practices into what developers do every day, which ultimately enables them to move fast, "but in a safe way."

Russo said that at Medtronic, "You can really see that across the landscape." 

While resource restrictions make centralized product security functions more feasible, and they generally work for Medtronic and other large organizations, he said many device companies need to look at the technical aptitude of security teams.

Is product security just a part of what they do?

Weir noted that it's hard to have a dedicated security team if you have a small product base. 

"The big thing though is that you do have that integration during your product development lifecycle," he said. 

When medical device developers try to add cybersecurity later into the process, it makes it much harder to be successful, he added. Weir advised integrating product security as early as possible into the product life cycle, and continuing communication as products evolve. 

Product security specialists bring visibility into systems. They can then see how the devices are being used, and they are better positioned to recommend mitigations, he said. 

How do you get buy-in for product security? Build a program and get executive support

Blythe said that by making leaders aware of policy changes on the horizon, you can get their buy-in.

"Tap into your government affairs organization and find out what policies are coming out, and how you stay out front of what is changing," and make sure leaders have that awareness, he said. 

"They are bought into that, right, and that can be translated down into their business and their leaders, and ultimately they can be successful in what they are trying to do."

Get your foot in the door by encouraging that process, Weir advised.

He noted that the Food & Drug Administration's premarket guidance recommends threat modeling. 

"When you can actually start to solve problems and you know, get ahead of these issues, that's when you start to realize the full buy-in to be able to do more," said Weir.

The 'new' legislative compliance climate for medical device security

With the passage of the 2022 Omnibus Appropriations Act, "including a rider essentially for the PATCH Act," said Blythe, the FDA has legislative authority over medical device manufacturers. 

They need to provide a software bill of materials, show a post-marketing monitoring process with threat intelligence and maintain the security posture of devices out in customers' hands. 

"I'll say that none of that is really new," said Blythe.

"All those main messages have been communicated previously," and the omnibus just shifts FDA's regulatory guidance to a legislative authority the agency will be looking to enforce, he said.

"It's really tough to go ahead and actually do it," Weir said of the SBOM. Having the ability to respond to new vulnerabilities is really important, he added.

Creating SBOMs is not a trivial task, Russo agreed. "It's still something the industry needs to work through."

Like to tinker? Become a medical device tester

Weir said that understanding the clinical workflows are more challenging than the cybersecurity aspects of medical device development.

While there are now more certifications than ever, Russo said the personality for the job of product security is the "tinkerer." 

The key difference with the product security function is, he said, "We want to break what the engineers build, right? We want to see how we can make it fail or how we can break apart what they've done," adding that whether it's through threat modeling or penetration testing, product security specialists are partners in product development.

They want to "feed that [information] back into the system, so it can be built back up better" and give that knowledge to the engineers that want to be the builders. 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Jeremy Petch will offer more detail at the HIMSS23 session "Opening the Black Box: Promise and Limitations of Explainable AI." It's scheduled for Wednesday, April 19 at 10 a.m. – 11 a.m. CT at the South Building, Level 5, room S503.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.