Professional Documents
Culture Documents
Cybersecurity For Medical Devices: Three Threads Intertwined
Cybersecurity For Medical Devices: Three Threads Intertwined
Cybersecurity For Medical Devices: Three Threads Intertwined
Medical Devices:
Three Threads Intertwined
Presented to MedSun audio
conference
Cybersecurity of Medical
Devices
on April 12th, 2005
by
Scott Bolte
(Scott.Bolte@ge.com)
Product Security Program
Manager
GE Healthcare
3/
Scott Bolte /
2005-04-12
Constraints on Manufacturers
Manufacturers rarely need to get approval from FDA with
regards to Cybersecurity fixes. However, they always
need to validate safe & effective operation after changes,
including 3rd party patches.
No one can predict impact of 3rd party changes on clinical
operations in advance. Therefore, verifying and validating
seemingly minor changes may take significant time.
Determining impact of patch, or any other design change,
usually requires deep understanding of medical device.
Everyone would like to move faster, but there is no magic
way to avoid necessary validation.
5/
Scott Bolte /
2005-04-12
GE Healthcare Initiatives in a
Nutshell
Product Development Changes:
Eliminating default but unnecessary network services to reduce the
opportunities for future attacks.
Objective & automated vulnerability assessments at each product release.
Formal design requirements system augmented with new security requirements.
Improved Communication:
Ongoing security education & awareness training throughout GE Healthcare.
Improved channels of communication with customers.
6/
Scott Bolte /
2005-04-12
8/
Scott Bolte /
2005-04-12
9/
Scott Bolte /
2005-04-12
10 /
Scott Bolte /
2005-04-12
Ongoing Communications
Cooperation between hospital IT staff and clinical
personnel is critical since both parties have essential
knowledge. It is dangerous when they work
independently.
Cooperation between healthcare providers and equipment
manufacturers is also critical; for the exact same reasons.
Treat security problems and concerns like any other
problem with a medical device. They are hazards that
need to be appropriately addressed.
Dont reinvent the wheel or set up special channels -- use
established support mechanisms.
11 /
Scott Bolte /
2005-04-12
12 /
Scott Bolte /
2005-04-12
14 /
Scott Bolte /
2005-04-12
15 /
Scott Bolte /
2005-04-12
Conclusion
Everyone has things they can do on their own to manage
risk, both immediately and long term.
Industry forums should be used to share knowledge and
develop common solutions.
GE Healthcare will continue to work with our customers
and our peers to develop better products, standards, and
practices for the industry.
Medical device cybersecurity risks can be managed
without interfering with patient care if we work
together.
Copyright 2005 by General Electric
Company
16 /
Scott Bolte /
2005-04-12
Additional Information
GE Healthcare
The ever growing security portal
http://www.gehealthcare.com/usen/security/index.html
includes:
18 /
Scott Bolte /
2005-04-12
http://nema.org/prod/med/security/ includes:
Break-Glass An Approach to
Granting Emergency Access to
Healthcare Systems
Patching Off-the-Shelf Software
Used in Medical Information
Systems
Defending Medical Information
Systems Against Malicious
Software
19 /
Scott Bolte /
2005-04-12
http://www.himss.org/ASP/topics_medicalDevice.asp
includes:
original Manufacturers
Disclosure Statement for Medical
Device Security (MDS2),
Department of Veterans Affairs
Medical Device Isolation
Architecture Guide,
links to current issues, trends
and tools,
contact information to join
work group.
Copyright 2005 by General Electric
Company
20 /
Scott Bolte /
2005-04-12
21 /
Scott Bolte /
2005-04-12
22 /
Scott Bolte /
2005-04-12
communication such
as the MDS2
23 /
Scott Bolte /
2005-04-12