The Medical Device Innovation, Safety, and Security Consortium (MDISS) announces that it is developing a set of recommended practices and profiles for securing medical systems based on the normative requirements in the ISA/IEC 62443 series of standards for industrial automation and control systems cybersecurity. The intent is to share the information across the network of MDISS member organizations, which includes medical device manufacturers, healthcare software companies, hospital networks, and insurance companies.
“MDISS is committed to improving the state of cybersecurity in medical devices and systems to reduce risks to patients,” says Dale Nordenberg, MD, MDISS executive director. “We view the ISA/IEC 62443 standards as providing a solid basis for the development of comprehensive profiles and recommended practices in this area
The ISA/IEC 62443 standards are developed primarily by the ISA99 committee of the International Society of Automation, with simultaneous review and adoption by the Geneva-based International Electrotechnical Commission. ISA99 draws on the input of cybersecurity experts from across the globe in developing standards in a process that is accredited by the American National Standards Institute. The standards are applicable to all industry sectors and critical infrastructure, providing a flexible and comprehensive framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems.
Application to connected medical devices reflects the growing use of the standards across multiple sectors worldwide, points out long-time ISA99 co-chair Eric Cosman.
“When we first formed the ISA99 committee, we deliberately stated our scope in terms of potential consequences rather than limiting ourselves to specific industries,” Cosman says. “This decision has served us well as the ISA/IEC 62443 standards not only have been applied across traditional manufacturing and industrial processing sectors, but also extended to rail transportation, building automation, and now medical systems.”
Does it make sense that we have rolled out a system of vast interconnectivity without first learning how to protect it from hacking? And then having discovered that it is highly hackable, keep adding to it even including applications that don’t really require connectivity?
I have attended various cybersecurity webinars.
But I have not found any case studies and how HDO prevents the potential or current cyber attacks.
Many of them keeps saying that HDO is weakest area against cyber threatens.
However, they did not show real case at all.
As a HTM, I really want to know how we can prevent these types of attacks for new and existing devices.
The device side has long confused “vulnerabilities” (ie it is possible to…) with actual events (of which there are hardly any documented cases).It is also often the case that vulnerabilities are being pointed out but those who want to fix them. One issues is that other than targeted or miscellaneous mayhem there is little motivation to actually attack a medical device. This quite different from, for example, network ransomware where the motivation is immediate payment.