Medical Device Security Benchmarks Emerging
The Center for Internet Security (CIS) and the Medical Device Innovation, Safety and Security Consortium (MDISS) announced the availability of new resources to help address the growing security concerns about network-connected medical devices.
The CIS/MDISS Security Benchmark Mapping Guidance provided security recommendations that can be used by medical device manufacturers during the product development process, as well as assist healthcare providers in evaluating the security controls for medical devices prior to purchase and implementation.
The new security recommendations, which are released to coincide with National Cybersecurity Awareness Month, each provide a detailed, easy-to-use matrix that aligns industry recognized, consensus-based secure configuration best practices developed by CIS with Security Capabilities included in a Technical Report (IEC/TR 80001-2-2) within the International Electrotechnical Commission (IEC) 80001-1, a global standard for performing risk management of IT networks that include medical devices.
The configuration guidelines, which were developed in collaboration with healthcare providers, manufacturers, cybersecurity experts and government entities, specifically apply to those devices that incorporate Microsoft Windows 7 and XP operating systems, which are commonly used for healthcare device systems.
These new resources provide recommended security controls spanning a majority of the IEC/TR 80001-1-2-2 security capabilities, including system and application hardening, access control and malware detection and protection.
Additionally, healthcare providers can leverage the new CIS/MDISS guidance as supplementary resources to the widely used Manufacturer Disclosure Statement for Medical Device Security (MDS2) form, a collaboration between the Healthcare Information and Management Systems Society (HIMSS) and the National Electrical Manufacturers Association (NEMA), which provides manufacturers with a means for disclosing the security-related features of the medical devices they bring to market.
"Medical devices and their associated networks are critical components of our nation's digital health infrastructure. Ensuring these devices and networks are secure is important for patient safety, patient privacy, and the safeguarding of our nation's critical health infrastructure, " said Dale Nordenberg, M.D., MDISS executive director. "MDISS members are committed to ongoing collaborative efforts to better understand security risks and to the development of innovative solutions that address increasing concerns of device safety and security."
"We must do everything we can to safeguard the IT systems that manage medical devices and the patients who rely on them," said William F. Pelgrin, CIS president and CEO. "CIS is pleased to co-lead this collaborative effort with MDISS and work with all of our partners to develop well-defined security baselines that help further strengthen defenses against cyberattack."