IoT and Medical Device Cybersecurity: Standards Coming
A consortium of digital identity players is tackling cybersecurity for medical devices by crafting a set of industry standards and guidance to ensure manufacturers build trusted, secure and interoperable products.
SAFE Identity, a Reston, Virginia-based association that serves as a third-party certification body, said it has established a special Internet of Medical Things (IoMT) working group to standardize requirements for certification based on industry best practices for device identity and assurance. Membership so far is composed of digital identity experts Carillon, DigiCert, IdenTrust, PrimeKey and Trans Sped.
IoT and Medical Devices: Massive Cyber Target
To help make its point, SAFE pointed to an earlier study by IoT security company Zingbox (part of Palo Alto Networks) that determined there are 10 million to 15 million medical devices in U.S. hospitals with an average of 10 to 15 connected instruments per patient bed.
The research also found that more than 80 percent of healthcare organizations had been victimized by an IoT-type cyberattack. SAFE figures that establish a recognizable cybersecurity certification badge specific to the medical industry will affirm to hospitals, radiology centers, medical labs and others purchasing devices that a manufacturer has baked into its products a standards-based security credential.
SAFE said it has appointed Priti Dave, a 14-year healthcare IT industry veteran who currently serves as SAFE’s solutions strategy director, to head the working group. “Providing a path to secure medical device identities is a major step towards building the foundation for digital trust within healthcare,” said Dave. “The IoMT working group provides an excellent forum for all parties in the healthcare space to share their needs and expertise surrounding medical device security, and we encourage participation from across the industry, she said.”
SAFE Identity: Key Priorities
The project has three phases:
- Phase I: Modernize the SAFE Certificate Policy, a set of technical specifications, interoperability criteria, compliance guidelines and liability rules to meet the needs of the medical device space.
- Phase II: Establish operational guidance and implementation strategy to help device manufacturers and consumers of medical devices adopt industry standards and best practices.
- Phase III: Set guidance for leveraging the SAFE Trust Framework and industry guidance to satisfy various aspects of FDA pre-market and post-market guidance for medical devices.
SAFE said medical device manufacturers, healthcare delivery organizations, other buyers of medical devices and industry consortiums are welcome to participate.
IoT Security Mandates: Example Legislation
While lawmakers have proposed a number of bills to address IoT cybersecurity, none have been industry specific. For example, the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2020 mandates that IoT devices purchased by the federal government meet minimum security requirements as issued by the National Institute of Standards and Technology (NIST). An earlier attempt by lawmakers to codify IoT device cybersecurity suggested badging manufacturers whose products meet pre-set cybersecurity and data protection benchmarks.
Vertical markets notwithstanding, Juniper Research expects worldwide IoT security spending to increase by 300 percent to $6 billion by 2023, owing mostly to upticks in consumer markets’ product and service providers, and customers in industrial and public services.