Over 100 Massachusetts Auctions End Today - Bid Now Over 1750 Total Lots Up For Auction at Five Locations - NJ Cleansweep 05/02, TX 05/03, TX 05/06, NJ 05/08, WA 05/09
DMBN: Some of these suggestions seem surprisingly basic — like having password protection, for example.
KF: Many of these things are basic — there are some manufacturers doing some pioneering work in security but there are more manufactures that are somewhat in the dark and are looking for some indicators from FDA on what they're going to look for.
But there are certain subtleties on the passwords front, however, and some pretty good reasons for not having passwords on certain devices — a pacemaker for example. When I log in to my email, if I take three times and screw up, I don't mind if my email gets locked out for an hour. If I get my password wrong in my medical device that's implanted, I'd obviously like to get in. It creates a very challenging design space.
DMBN: What are some of the challenges manufacturers will face with these new guidelines?
KF: I don't think all manufactures will have to redesign — I know some manufactures are already taking these steps but are hesitant to speak up and say they're doing that.
My suspicion is that they don't want to draw attention to themselves to become a target. Although they're trying to do the best job they can, security is like insurance — things can always go wrong. Still, there are steps you can take to reduce the likelihood of a catastrophic event at the early design stages.
DMBN: What are some of the steps manufacturers can take in the design stage to strengthen cybersecurity?
KF: So a lot of them will seem kind of boring — one is, for instance, identifying a threat model. What exactly is the threat you're going to be designing against? If you're going to hook up a medical device occasionally to the internet, is your threat a potential virus that can get in on a 30-second window? If a manufacturer skips this basic step, they will create mechanisms that are more like snake oil, without clear benefit.
You can say, slap on some encryption or a password. Well that's nice, but does that address a specific potential vulnerability or potential threat? These problems are really more for the engineers to work out on the whiteboards in their design groups, but there's a big managerial component as well.
DMBN: Can you elaborate on that? What managerial issues hinder cybersecurity?
KF: It's what's known as a diffusion of responsibility. When it comes to security there's often quite a bit of finger pointing. The hospital might say, 'well, the manufacturer won't provide us with a device that we can secure.' The manufacturer might say, 'well, the hospital isn't willing to pay for it.' The FDA addresses both groups in their guidelines.
