How to protect medical devices against cyberthreats

Healthcare organizations and makers of medical devices need to think about how to safeguard their critical medical gear against future cyberthreats, including the looming dangers posed by quantum computing, said Mike Nelson, global vice president of digital trust at security firm DigiCert.

“Quantum computing might not be here this year or next year, but it’s certainly coming,” Nelson said. Much of the expensive medical gear in use today and devices being sold right now, such as medical imaging systems, are not adequately protected against future threats, including those involving quantum computing and its ability to crack encryption.

“There’s debate on the timing of quantum computing, but there’s no debate on the need to be ready,” he said.

“When a hospital system buys a device like that, they don’t rotate those devices every couple of years. They can live on a hospital floor 10 to 15 years,” according to Nelson. “You need to be thinking of cryptography from an agility standpoint. If you’re using a medical device that will be in the field five to 10 years or longer, you need to be thinking about establishing resistance from quantum computing.”

Under legislation signed into law in late 2022, the Food and Drug Administration’s enhanced authority over medical device cybersecurity raises the bar on what is required from manufacturers in the premarket of their new devices submitted to the agency for approval.

If the details are not sufficient, the FDA will automatically reject the product submission (see: FDA Finalizes Guidance Just as New Device Cyber Regs Kick In).

“My advice to manufacturers is to be intentional in building your muscle around cyber, and make it a part of everything you do. It has to be embedded in the life cycle of the device.

In this audio interview with Information Security Media Group at the Healthcare Information and Management Systems Society conference in Orlando, Florida (see audio link below photo), Nelson also discussed:

• The “terrifying” risks involving the vast majority of IoT devices, including many medical devices in use today that are transmitting unencrypted data as free text;
• The top identity issues involving medical devices;
• The future impact of the FDA’s expanded authority over medical devices;
• Why public key infrastructure, or PKI, is the “connective tissue” between compliance and security for medical device manufacturers to meet the FDA regulations.

Nelson oversees strategic market development of digital trust across organizations to protect servers, users, devices, documents, software and more. Before DigiCert, he spent his career in healthcare IT, including successful stints at the U.S. Department of Health and Human Services, GE Healthcare and Leavitt Partners. BankInfoSecurity