As cybersecurity threats in the healthcare sector evolve, medical device manufacturer ICU Medical is taking a number of steps to help safeguard its products. Marshall Fryman and Chaitanya Srinivasamurthy of the company describe these security initiatives.
Among the steps the San Clemente, California-based company is taking is enhancing single sign-on capabilities through a recent partnership with identity and authentication vendor Imprivata, Fryman says.
The enhanced single sign-on minimizes the burden on clinical users to obtain secure access to ICU Medical's devices, he says in an interview with Information Security Media Group.
"The key aspect of security of any system is security in layers, or in depth. So our products focus a lot on that approach," he says.
"We build a very deep layer of security around our products and our interoperability. Unfortunately, it's a hostile world, and you continuously see attempts to attack devices and networks both in medical and commercial spaces. It's a never-ending game of staying one leap ahead of where the attacks are coming from."
ICU Medical also has hired "an external white hat hacking firm to attack our products after we're done with the design and development process to ensure we meet [various security] standards and that there are no 'unknown unknowns' at that point in time," Srinivasamurthy says.
Standards Needed
"Security is a symbiotic relationship between the device and the network," he says. That's why healthcare organizations and medical device makers should collaborate to develop a standard for how devices are developed, designed and deployed in hospitals' networked environments, he adds.
In that vein, ICU Medical has worked with the National Institute of Standards and Technology's National Cybersecurity Center of Excellence in the development of guidance for securing infusion pumps in hospital network environments, he notes.
If healthcare organizations adhere to these standards, "it becomes easier for the vendors to design and develop their products" with security top-of-mind, he adds.
In the interview, Fryman and Srinivasamurthy also discuss:
Srinivasamurthy is director of cybersecurity and medical device connectivity engineering at ICU Medical. He is responsible for leading the company's cybersecurity activities, including designing policies, threat analysis, threat modeling, penetration testing and customer interactions regarding cybersecurity incidents.
Fryman is the company's director of innovation and interoperability. In that role, he heads an international team that develops medical products used in infusion therapy and critical care applications.