By Phil Englert
Food Network fans may be familiar with Guy Fieri’s classic greasy spoon road trip across America known as “Diners, Drive-Ins and Dives.” The program focuses on small, independent eateries, regional styles or ethnic specialties.
Cybersecurity has its own Triple D – Design, Default and Demand. Design, Default and Demand are three concepts that HTM professionals can apply to the medical device environment to help ensure the equipment needed to provide patient care is available and safe. Secure by Design is an approach to software and product development that prioritizes security from the beginning of the design process. Secure by Default is a security principle that ensures products are configured with the most secure settings. Secure by Demand is a principle that empowers software customers to ensure that the products they procure are designed with security as a core consideration. Let’s review each principle and explore what implementation can look like.
Products designed with Secure by Design principles prioritize customer security as a core business requirement rather than merely treating it as a technical feature. Instead of treating security as an afterthought or a feature to be added later, it is integrated into every stage of the product life cycle. This method aims to identify and mitigate potential vulnerabilities before the product is released. What does that look like? Consumers can look for foundational principles when researching new medical devices.
When dealing with companies with a mature secure-by-design posture, you should feel that security is part of their culture and not just a program. Security will come across as a core value and responsibility at all levels of the organization. You will understand that security requirements are incorporated in the initial design and development phases. Your investigation should reveal that tailored threat models anticipate and address potential security threats during development and that secure coding standards prevent common vulnerabilities. Product literature will reveal defense-in-depth strategies to provide multiple layers of security and the fact that automated tools are continuously utilized to test for security issues throughout the development process. Finally, look for a robust program to manage and address vulnerabilities as they are discovered both in the development cycle and after the product is in your environment.
Three key implementation traits will help you better understand a company’s commitment and maturity to security by design principles. First, look for evidence of executive ownership demonstrating that security is a priority at the executive level and that there is accountability for security outcomes. Next, look at the level of transparency and accountability. Does the company embrace or resist sharing key information about vulnerabilities and security practices? A culture of willing transparency is evidence of a company with a higher maturity level and commitment to a better partnership in maintaining the cyber posture of medical technology. Finally, look for evidence of continuous improvement through regular updates and a roadmap for improving security measures based on new threats and vulnerabilities. Threat actors constantly find new ways to exploit vulnerabilities and attack organizations through technologies in their environment. By following these principles and steps, organizations can create products that are inherently more secure, reducing the risk of cyber-attacks and improving overall trust in their technology.
Secure by Default ensures that products are secure and out of the box, with secure configurations enabled by default. This approach minimizes the need for users to make additional security configurations, thereby reducing the risk of vulnerabilities due to misconfigurations or oversight. A few key traits to look for are that default settings prioritize security, such as disabling unnecessary services and features that could introduce vulnerabilities. Look for products designed to be secure without requiring extensive setup or configuration changes to apply security controls. Default passwords should be unique and strong, and instructions should include how to change them. User authorization should incorporate the concept of least privilege. Set-up instructions should identify changes that could reduce security and are communicated to the user, ensuring they understand the potential risks. This includes clear instructions and warnings when users attempt to change settings that could compromise security. If practical, look for systems configured to automatically receive security updates, reducing the exposure window to known vulnerabilities.
To implement Secure by Default in medical devices, start by determining which settings and configurations are critical for security on the device and within your network environment. Focus on authentication, access controls, network configurations and data protection. Ensure that default user accounts have minimal privileges. Enable encryption, use strong passwords and disable unnecessary services. Implement automated updates for your software to ensure it receives the latest security patches without user intervention using secure channels to deliver updates and prevent tampering. By following these principles and steps, organizations can significantly enhance the security of their products, making it easier for users to maintain a secure environment.
Secure by Demand empowers software customers to ensure that the products they procure are designed with security as a core consideration. This approach involves customers actively demanding and verifying that medical device manufacturers prioritize security throughout the product development life cycle. Customers are crucial in driving security by explicitly requiring it in their procurement processes. Demand transparency about security practices and use the Healthcare Sector Coordinating Council’s Model Contract Language for Medtech to identify and assign responsibilities and to hold suppliers accountable for security outcomes. Key steps during the procurement process is to clearly define and communicate security requirements in the procurement documentation and request security artifacts such as a Software Bill of Materials (SBOM), vulnerability disclosure policies, and security roadmap for identified vulnerabilities and missing or weak controls. How does the manufacturer handle security patches and updates? Are they automated and easy to apply? What is the patch and update cadence? Include security requirements as part of the contractual obligations. This can involve specifying the need for regular security updates, vulnerability management and secure coding practices. Provide feedback to the software manufacturer and work collaboratively to address security issues.
Technology buyers can enforce Secure by Demand principles by integrating these specific security requirements and practices into their procurement processes. Technology buyers can ensure that their software vendors prioritize security, thereby reducing the risk of vulnerabilities and enhancing the overall security of their technology ecosystem. HTM professionals can use the Triple D principals when evaluating, selecting, implementing and maintaining medical devices in the connected health care ecosystem.
