Medical Device Security and Privacy

There are some really good white papers on Security and Privacy associated with Medical Devices. I often point at these because they are well written, yet pointed papers. I also point at them because I worked hard on the content, as I am a member and past chairman of the committee. This committee is a joint committee of the NEMA (an international organization, but tends to be somewhat North America based), JIRA (a European organization), and JIRA (a Japan based organization).

There isn't anything new from the group at this time, but I am posting this because they have changed their web site and just lately recovered all of the good white papers.The following are the most important and still relevent papers. There are more white papers on the site

Joint Security and Privacy Committee.  

• Certificate Management for Machine Authentication
• This paper is still very relevant to mutual authentication used in IHE ATNA. This paper discusses a couple of methods that can be used to manage these certificates, and how each way scales.  See Designing a Secure HIE
• Defending Medical Information Systems Against Malicious Software
• This paper covers some really important concerns that Medical Device vendors have regarding the unintended consequences that AntiVirus can have. Patient Safety is priority number one in healthcare. More importantly there are more ways to address malware (virus, worms, etc) than to simply apply AntiVirus.
• Patching Off-the-Shelf Software Used in Medical Information Systems
• This paper covers patch management relative to security patches from the third party software that the medical device vendor included in their product, such as the operating system. This paper was initially published back when Medical Device vendors were wrongly placing blame on the FDA for their non-action. Patching does need to be done in a controlled way, to protect patient safety.
• Break-Glass – An Approach to Granting Emergency Access to Healthcare Systems
• This is a view of 'break-glass' that is responding to a large scale disaster where the normal IT infrastructure may not be fully functional
• Information Security Risk Management for Healthcare Systems
• This paper helps Medical Device manufacturers manage IT security risks in healthcare systems by detailing the steps in security risk assessment in the context of security risk management. IT security risks are risks to data and systems. As a best practice, patient and operator safety risk management and IT security risk management processes should be separate but linked. They differ in both the vocabulary and expertise required for proper risk management. If combined as a single assessment process, one or the other is not treated appropriately.   This concept has received renewed interest including  IEC 80001 - Risk Assessment to be used when putting a Medical Device onto a Network

• Security and Privacy Auditing In Health Care_Information_Technology
• This paper discusses the aspects of Security and Privacy audit logging and log analysis in Healthcare. This paper was an important step to the creation of the IHE ATNA profile.See Accountability using ATNA Audit Controls and ATNA and Accounting of Disclosures