The Journal of mHealth Vol 2 issue 5 (Oct) | Page 21

Does Device Interoperability Sacrifice Security?
At the device level, medical device manufacturers must address three critical
aspects of cybersecurity during design:
»» Create a security plan (similar to a
safety risk management plan) early
in the process. Make sure the plan
addresses launch and post-market
security protocols.
»» Conduct a device-specific threat
assessment and revisit it throughout
the design process. Threat assessment should include characterizing,
modeling and measuring existing
threats. Thinking about the ways that
devices send and receive data gives us
important clues to the ways they may
be vulnerable to either intentional
attacks or software glitches.
»» Design with security in mind by baking cybersecurity into hardware and
software development from the start.
Once the device is on the market, medical device manufacturers of connected
devices need to continue to be diligent
and more proactive:
»» Schedule periodic reviews of the
threat assessment once the device is
deployed.
»» Be ready to act fast when an issue is
identified, as time is critical to containment. Make sure your CAPA process
has swift time tables for a response.
»» Define a responsible disclosure policy and link it to your CAPA process.
»» Be open and work with your customers right away when a security issue
is identified.

Lastly, don’t be afraid to connect! The
more data, the better the data, and the
better correlated the data, the more
insights we gain into individual health
and healthcare quality. As medicine
evolves towards more connection in the
future, there is the potential for exponential improvement in our overall wellbeing.
To learn more about DeviceSecure from
Battelle, visit battelle.org/our-work/pharmaceutical-medical-devices/medical-devices/
battelle-devicesecure-services
About the authors
Melissa
Masters, RAC, (B.S.,
Electrical
&
Computer Engineering)
Ms.
Masters
is
Director
of
Electrical,
Software
and
Systems Engineering at Battelle and heads Battelle’s DeviceSecure
Services. Ms. Masters has more than 14
years of experience in product development as a project manager, systems engineer and design engineer, serving as the
project manager and lead systems engineer on medical device development and
sustaining engineering programs. Ms.
Masters is a voting member of the Association for the Advancement of Medical
Instrumentation (AAMI) working group
on cybersecurity for medical devices and
contributed to the vulnerability model

Continued from page 5

"While standards are in place, individual country standards need
to be subject to international standards."
8) Who should be leading the drive to mandate these
changes (e.g. industry alliances/initiatives, regulatory
bodies, government policy)?
"It is in everyone's interest for this to work and healthcare
organisations can play a key role through the procurement process. There may well also be a role for government at some level
to encourage or even mandate those standards in procurement
when it relates to public money – not just for healthcare but also
other sectors which would benefit from wider interoperability.
"In the UK we are seeing healthcare community of vendors and
providers engaging to create the interoperability charter.
"In economies where health and social care is not primarily gov-

for AAMI’s TIR 57. She has been published and widely quoted on a variety of
medical cybersecurity topics in AAMI
Horizons, Mass Device, ExecutiveGov.
com, and Fierce Medical Devices. In
addition, Ms. Masters holds a Regulatory Affairs Certification (RAC) and has
a working knowledge of domestic and
international regulatory requirements for
medical devices.
Stephanie Preston, EIT, GIAC,
CEH,
(B.S.,
Computer and
Electrical Engineering)
Ms. Preston is on
Battelle’s Cyber
Innovations
team, where she
focuses on firmware reverse engineering (x86, x86_64,
MIPS, 8051), as well as application development (C/C++). She also serves as
the team’s intellectual property steward.
Ms. Preston contributed to the IEEE
guidelines for security in medical device
software development and production, a
step toward industry standards that will
systematically secure medical devices.
Ms. Preston is a registered engineer
in training (EIT) in the state of Ohio,
holds a (GSEC) Global Information
Assurance Certification (GIAC) Security
Essentials certification, and a Certified
Ethical Hacker (CEH) certification. She
also serves as an adjunct faculty member
at the Ohio State University College of
Computer Engineering. n

ernment controlled, such as the US, it can still be incentivised,
although in developing markets it is more difficult."
9) What would be your top tips for managing digital
deployments in healthcare, in terms of ensuring effective
integration?
"Concentrate on stakeholder engagement. When users, vendors,
and executives co-operate and collaborate to build a shared
understanding of a successful project, they’ll have a great chance
of achieving that success."
Steve Rudland is Customer Advocacy & Consulting Lead for Hyland, creator of OnBase in EMEA. He has more than 20 years' enterprise content
management experience, gained in some of the world's leading technology companies. With particular expertise in systems integration, collaboration and
multi-agency information sharing across the healthcare, social housing and
local government sectors, Steve is currently advising clients on strategic healthcare business transformation projects in the UK and Denmark. n

The Journal of mHealth

19