On May 3-5, we attended the H-ISAC MedTech conference in Orlando, Florida and on June 3-6, the AAMI eXchange in San Antonio, Texas. We met with a healthy mix of cybersecurity professionals and enthusiastic speakers who all discussed the development and importance of key practices within the MedTech field. Our team held booths to interact, discuss and connect with like-minded professionals and gave educational speaking sessions.
Were you unable to attend or are you curious about what we learned? Here are our top takeaways.
Threat modeling continues to be a central concern
Like other recent healthcare and security conferences, H-ISAC held a dedicated talk on threat modeling, which spoke of the process and its importance. During the FDA town hall presented by Dr Suzanne Schwartz (Director of Strategic Partnerships and Technology Innovation at CDRH), a lot of emphasis was put on the need for thorough threat modeling. In failing to adhere to the FDA Premarket Guidance Draft and execute threat modeling, medical devices will be denied premarket approval.
The devices of tomorrow must be updatable
During the FDA town hall, the PATCH act was a highlighted topic. All medical devices manufacturers will need to demonstrate that the devices of tomorrow can be updated. The goal is to break the current cycle of brittle legacy devices of today by developing patching procedures across the industry that are both reliable and sustainable.
By approaching this problem in a unified manner, updatable software in the future will help minimize the issue of legacy device vulnerability. The cybersecurity of medical devices must be considered an integral part of device safety and effectiveness to help secure the future of patient safety.
Highlighting vulnerabilities with a Software Bill of Materials (SBOM)
There was a lot of discussion around the topic of SBOMs. The core problem is that whenever a vulnerability is announced, Health Delivery Organizations (HDOs) want to understand the risk associated with the vulnerability and what steps could be taken to mitigate further issues. SBOMs do not immediately solve this problem as a lot of work is necessary to match a given vulnerability to a SBOM component.
For example, WannaCry/EternalBlue are vulnerabilities in Server Message Blocks (SMBs), which is an optional component in Windows, which would not be listed on a SBOM.
Our takeaway was that Medical Device Manufacturers (MDMs) are still determining how to best share the information within the SBOMs in a way that doesn’t generate false positives for the HDO’s security and IT staff.
Perhaps there is a common ground to be made that the industry has not thought of yet?
Do you want to discuss some of these topics?
We would love to hear from you, reach out to us and let us continue the conversation!