By Deb Radcliff, industry analyst and editor of CodeSecure’s TalkSecure educational blogs and podcasts (syndicated at Security Boulevard, YouTube, and Bright Talk).
In a past role at a large healthcare system with 100 clinics and hospitals, Phil Englert managed the health and safety of 380,000 medical devices of various versions manufactured by 500 different product companies. At the time, there was no automated way to assess and inventory these devices, and Software Bill of Materials (SBOMs) weren’t in the picture yet.
Now, thanks in part to the Food and Drug Administration setting minimum FDA requirements for device security in 2023, product security and SBOMs are getting more love from manufacturers. That in-part due to the FDA wrapping software product security into its product safety guidelines, Englert contends.
As new patient-care technologies are being released to the market, and with increasing regulations regarding the security of the software in healthcare devices, the Health-ISAC (information and sharing analysis center) recently set up a Medical Device Security Information Sharing Council (MDSISC) with a focus on Medical Device Manufacturing Security.
Englert is currently VP of the Health-ISACs embedded device division and serves as subject matter expert and contributor to MDSISC, which brings together over 300 people from healthcare organizations and medical device makers to develop solutions, identify best practices and facilitate the exchange of information to help secure medical devices and related practices.
Englert, with his unique background working as a product officer for medical device manufacturers and as a cybersecurity executive focused on medical devices for hospital systems, makes a good bridge between buyers and builders of these products. “At the heart of it, I’m a clinical engineer and that’s what I do here [at the Health-ISAC]. I began as a field services engineer and learned about the many different technologies that support healthcare and the variety of clinical environments that make healthcare systems a complex space to operate in.”
From his perspective, tremendous progress has been made in the part of development organizations, including integrating security testing into their developer workflow, improving logging ability, and producing SBOMs. Now, they need better ways to manage and track SBOM data and prioritize vulnerabilities.
“Consider that those 380,000 devices I used to oversee had at least a thousand software components in them. Now, think of the Log4j vulnerability. Without SBOMs, we’d have to go out to each of those 500 manufacturers to find out what percent of our environment could be impacted and then manually do the analysis of where to be exploited how would that impact our business of delivering healthcare and how could we recover quickly and gracefully. These are all elements that the SBOM could build efficiencies in and reduce the level of effort.”
Binary analysis scans that publish SBOM output on third-party code will also help engineering teams manage their source-code risks and provide visibility for consumer organizations that don’t have access to the source code.
“The SBOM is just an asset tool,” Phil explains. “But managing the vulnerabilities, recognizing them, and getting responses is where we’re going with SBOMs. That work hasn’t fully defined itself yet, but the industry is waiting to get there.”
In this interview, Englert provides a three-dimensional view on medical devices:
- The devices themselves
- The environments in which they are operating
- The people using them (doctors, nurses, clinical staff—and patients at home and connecting implanted and wearable medical devices to their smartphones)
Throughout the interview, he emphasizes how amazed he is with the innovation and connectivity of today’s medical devices and how their potential to greatly improve patient care. He also shares how such innovation can open new vectors of attack and provides advice for product development teams.
Resources:
Software Bills of Materials for healthcare devices are included in minimum FDA requirements.
Model Contract Language for MedTech Cybersecurity
Health Sector Coordinating Council Cybersecurity Working Group
