Some years ago, I was working for a professional services firm. One of our clients was an international medical device company working on implantable devices for cardiac rhythm management. We were going to perform a security assessment for their remote monitoring service, which was under development.
After much work, the contract was almost ready to be signed. We had the agenda, logistics and scope thoroughly worked out. It was just the terms and conditions, and, of course, pricing that were slowing things down a bit.
Our company had a well-known security rock star on staff. He would be in the vicinity of the device company’s headquarters, and the sales executive thought that having him pop in for a quick security briefing would be a surefire way to seal the deal. It turns out the rock star had the time and interest in the project, and the meeting was scheduled.
The following week, the rock star debriefed us and said the meeting went well. He told them of the importance of getting security right for these implantable medical devices and mentioned something he and a researcher had recently written on the topic. He assumed, as we all did, that the client was now ready to sign.
When the sales executive called the client back, he agreed that the meeting had gone very well and that the rock star had provided them invaluable insights. He felt it had gone so well, in fact, and the rock star had given him so much information, that they decided to do the security assessment on their own. They completely misunderstood most of what the rock star had said. The contract was never signed, and the project never commenced.
I never followed up on the product development. But if they did do everything themselves in the end, I would not want to be a patient with bradycardia with their device in my heart.
Doing medical device security correctly is a massive undertaking and critical for patient safety. In Medical Device Cybersecurity for Engineers and Manufacturers (Artech House), authors Axel Wirth, Christopher Gates and Jason Smith have written an absolutely stunning guide on the topic.
After a brief introduction, the authors take a deep dive and spend the rest of the book detailing all security and privacy elements that must go into a medical device. The book is written as a reference for engineers, managers, those who have to deal with FDA device regulations, device manufacturers and more.
At 260 pages, the book may seem slightly slim, but the authors have artfully detailed all of the core areas around medical device security that must be dealt with to ensure the device is securely developed, manufactured and distributed.
The authors leave no idea uncovered. From dealing with counterfeit components (which is the scourge of many industries), supply chain, risk management, FDA regulations and more, this is the definitive guide on the topic.
About a decade ago, the late, legendary security guru Barnaby Jack, then Director of Embedded Device Security at IOActive, sounded the alarm about the many medical device insecurity issues. A lot has changed since then, much of it for the better. This book addresses most of what he was concerned about.
Medical Device Cybersecurity for Engineers and Manufacturers should be required reading for anyone involved in the matter. It is an essential book that is long overdue. If this were around when the security rock star visited our potential client, he would have left it on the client’s desk and walked away. And I’m confident the contract would have been signed.