In the wake of the Food and Drug Administration (FDA) issuing both “premarket” (2014) and “postmarket” (2016) guidance for improving security in the development and manufacture of connected medical devices, the Open Web Application Security Project (OWASP) has released a set of best practices for the secure deployment of those devices.
As the report’s author and project leader, Christopher Frenz, puts it, “a medical device with all the security features in the world will not stand up to an attack if it is deployed in an insecure manner.”
Frenz, also director of IT infrastructure at Interfaith Medical Center, said the “OWASP Medical Device Deployment Standard,” released last month, was not coordinated with the FDA, but is designed to be “complementary” to its guidance.
The document includes 32 recommendations grouped into seven categories:
- Purchasing controls
- Perimeter defenses
- Network security controls
- Device security controls
- Interface and central station security
- Security testing
- Incident response
The first category includes recommendations for rigorous evaluation of security and privacy standards built into any device before it is purchased.
That could make improving security a long process, since obviously, many organizations could have dozens to hundreds of legacy devices, designed to last a decade or more, that don’t meet modern best-practice standards. But Frenz said the deployment standard, “can serve as compensating controls for such devices. One example is the use of network isolation of a potentially insecure device, which lessens the chance of compromise and helps to mitigate the damage a successful compromise can cause.”
He said he knows not all organizations will have the time or money to comply with every item on the list, but said OWASP’s overall goal is to raise awareness.
He said organizations can start with risk assessments of their current device deployments, “and identify the controls in the standard that would best help mitigate the most serious risks they identified.”