Protected: Pre-Emptive Medical Device Network Security

john — Mon, 06 Nov 2006 21:39:48 +0000

IT Security of In Vitro Diagnostic Instruments and Software Systems

john — Sun, 05 Nov 2006 16:38:53 +0000

Standard issued by the Clinical Laboratory Standards Institute (CLSI), document ID “Auto-11P”. One of several recent attempts to specify standards for IT security in medical devices. Covers network security, separation of privileges, development best practices, as well as review techniques. Many of its elements are very basic (e.g. explanations of encryption and authentication technology, what is a firewall, etc.) and rely on common sense, but then again the medical and IVD fields are about 10 years behind the technology curve as security is concerned.

The doc is targeted at 3 sensible groups; vendors (i.e. R&D and support staff), end-users and customer IT managers. There is provision made for the idea of protecting against data theft, although the prime issue in this area is data corruption by malware and other attacks. As you are probably aware, the main problem facing medical device manufacturers is the inability to consistently patch systems to respond to newly discovered threats and vulnerabilities; every “change” to the nature of a system requires a complex and expensive re-validation process.

Naturally, the solution to this is “don’t develop purely oriented towards functionality”. In plain English, don’t scrounge around for technology that just happens to be available, such as Windows XP, without proper design criteria and a fundamental evaluation and risk assessment process (what will the long-term cost be due to the fact that we used crappy technology to start out with…) I’m hoping that the suggestions and requirements in this doc will narrow down the solutions chosen for development platforms such as diagnostic data stations to technologies considered secure and reliable by other industries–which have more experience in secure development.

Unfortunately, as it’s a commercial document I can’t post the text here, but it is available at http://webstore.ansi.org/ansidocstore/dept.asp?dept_id=57 and via CD-ROM subscription from CLSI.

From the press release at http://www.clsi.org:
“Newly proposed Clinical and Laboratory Standards Institute (CLSI, formerly NCCLS) document IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard (AUTO11-P) specifies technical and operational requirements, as well as technical implementation procedures related to security of IVD systems (devices, analytical instruments, data management systems, etc.) installed at a healthcare organization. This document provides a framework for communication of IT security issues between the IVD system vendor and the healthcare organization.”

The Health IT Security Wiki

john — Fri, 03 Nov 2006 14:24:29 +0000

The health IT security wiki is a community portal with links to and information about standardization groups, laws, and other interesting bits related to healthcare and medical IT security. It’s a pretty good starting resource and incorporates pointers to a lot of the compliance-relevant and technical standards in this field, which is pretty far behind financial services and other areas in terms of having a firm grasp on information security.

Many of the topics are ones I have worked on in recent projects, and as such I will be posting more links to related groups, as well as descriptions of what they do (I got to write a little tiny bit of the CLSI Standard for IVD IT Security, whee!)

http://www.healthitsecurity.net/wiki/index.php?title=Main_Page

Chakraborty Software » Healthcare & Medical

Protected: Pre-Emptive Medical Device Network Security

IT Security of In Vitro Diagnostic Instruments and Software Systems

The Health IT Security Wiki