In the last few years, we’ve seen an increased focus on hardening medical device security utilizing Symantec Critical System Protection (CSP). Regardless of the medical device manufacturer, a pattern has emerged revealing two distinct factions within the Client project team: one group supporting the least amount of security possible and the other supporting the very maximum.

Minimal Security:   Field technicians and anyone with regular hands-on access to the device.

Maximum Security:   Internal information security architecture teams (architecture and operations)

With two different groups tackling security from two different viewpoints, things are going to go awry. It makes sense when you think about it – the field team (the mechanics) that supports the medical devices once they’ve been deployed already have their hands full with regular maintenance. The last thing they want is to introduce more complexity in the way they support these devices. On the other hand, the internal security team (the designer) that originally mandated the hardening of the devices is far removed from the daily maintenance concerns of the field team and is solely focused on increasing the security of these devices as a means to an end. These opposing objectives essentially create an internal tug of war for the device manufacturer with the security consultants trapped in the middle trying to satisfy both teams.

As a security provider, we understand the importance of being flexible and maintaining good relationships with everyone involved on the project. However, that flexibility can work against us when we face obstacles like scope creep.

To mitigate this issue, we’ve come up with the following strategies:

  1. Ensure that both the external field technician teams and the internal security teams meet and agree on the security objectives of the project.
  2. Provide the manufacturer with a list of successful use cases describing what other medical vendors have done to secure their devices.
    • Legacy Linux systems with Root used for all daemons and application
    • Legacy Windows with Administrator used for all services and applications processes
  3. Provide the manufacturer with a set of recommendations for hardening these devices.
  4. Have the internal security team provide the list of the security requirements to all team members.
  5. Enforce adherence to the client-approved requirements.

Contact us for more information on proactive medical device security.