Enterprise Services, Enterprise Decision Maker
By Camille Mendler 20 Feb 2020
The boring truth about private networks is this: most private networks are local area networks, and enterprises desperately need someone else to manage them.
In late December 2016, the US Food & Drug Administration (FDA) released a final installation of cybersecurity guidelines focusing on postmarket risk management in medical devices. The advice joins earlier premarket guidelines from late 2014, forming a full product lifecycle-based continuum for manufacturers for better protecting the safety of patients in a world with increasingly connected medical devices.
Today, hacking of connected devices is rarely a deadly threat; a smartwatch may contain sensitive personal communications or account information, but will not cause bodily harm if infiltrated with malware or other malicious code. This is not the case in the expanding world of medical devices, where extremely sensitive biometric data is used to deliver highly personalized medical care, often remotely under the supervision of a doctor. A malfunctioning medical device can stop working, cause an overdose, or potentially kill. With devices becoming more sophisticated and personalized, these dangers are only likely to increase, given that patients or caregivers may not be easily able to manually "override" the devices with standard doses or procedures.
Increasingly, medical devices may be connected to a variety of networks, including those belonging to healthcare facilities and those within the patients' homes, creating multiple involved parties and multiple layers of risk to data and device functionality. Medical devices and the data they transmit are potentially an attractive target for hacking; in the past several years, stolen medical information has surpassed financial data in value on the criminal market. While a credit card number may be easily reset, a patient's health history and biometric details are inextricably tied to their identity, and can be used against them for a litany of nefarious purposes, ranging from extortion to discrimination. Thus, security of devices and privacy of data is a paramount issue in the field of connected medicine.
The emphasis of the new guidelines – in conjunction with the premarket guidelines issued in late 2014 – is that security of these connected medical devices is an ongoing, full-lifecycle management issue. Security products alone, much like in the case of enterprise information management, are not sufficient to address the entire policy and technical basis for cybersecurity risk. Instead, control begins with awareness and policy, and branches out to include procedures for identification of risk, responsibilities for risk remediation, system architecture, maintenance timelines, and supporting technology strategy to achieve these objectives.
The new guidelines for postmarket cybersecurity management of devices take many principles from information management strategy, especially with regard to treating the entire security process as an iterative one that continues throughout the entire lifetime of the product, from creation to cessation of use or replacement. Device-makers are advised to:
create a framework for continuous monitoring of device vulnerabilities
maintain ongoing relationships with cybersecurity researchers so that vulnerabilities can be identified and patched as soon as possible
have a methodology in place for assessing the severity of patient safety risk for any given security vulnerability
identify and designate responsibility for data security among all parties that may come into contact with device data
maintain robust software lifecycle processes that include mechanisms for monitoring third-party software components and design verification and validation for software updates and patches.
Combined, these strategies clearly require a holistic framework beyond a product "solution" approach. With increasingly sensitive data becoming increasingly connected and vulnerable to threats, security needs to be more deeply engrained in every step of the information management process.
Software Market Forecast Report: Information Management, 2015–20, IT0014-003162 (December 2016)
"Standards, regulation, and accountability are required to avoid IoT Armageddon," IT0007-000919 (November 2016)
Paige Bartley, Senior Analyst, Information Management
Enterprise Decision Maker
By Eric Parizo 19 Feb 2020
Check Point has accelerated its pace of acquisitions to offer more security solutions for and from the cloud, but it remains hindered by the perception that its technology and market messaging are still too complex.
Europe, Middle East & Africa team: +44 7771 980316
Asia-Pacific team: +61 (0)3 960 16700
US team: +1 212-652-5335
Already an Ovum client? Login to the Knowledge Center now