With news hitting the headlines that global pharmaceutical company Pfizer Inc. has suffered a huge data breach and in light of National Cyber Security Awareness Month, Pf is turning its attention to security programs for medical device firms. Here, Dan Lyon, Senior Principal Security Consultant at Synopsys examines why organizations need to establish a product security program and bring on the appropriate security resources.
I have had the opportunity to work with a variety of global medical device manufacturers over the last few years. Recently, I have also started working with some new organisations that are not yet global in scale. A recurring theme is that these organisations have not yet established true ownership for security within the company, even though there is increasing regulatory pressure for building security in, evidenced by updated FDA guidance and recognition of international standards such IEC 62443, UL 2900 and AAMI TIR 57.
Build security in
While organisations are aware of the increasing regulatory pressure, what many are not yet aware of is how the software security industry has learned and evolved over the last 20 years to realise the ‘Build Security In’ ideal. For any medical device manufacturer, it only makes sense to learn from where the industry has been and use that knowledge to jump start an initiative to address security for their medical products and systems.
Building security in, like safety and reliability, requires a mix of people, process and technology applied by an organisation to achieve appropriate security goals of a system. This requires an organisational structure that can bring about the needed changes in processes and skillsets to create the right technological solutions. Without the proper organisational structure that owns and drives these changes, security will be a piecemeal effort at best. Any piecemeal effort is doomed to fail because security is a systems problem. The organisation needs to set itself up to address systems problems through the development organisation and processes used to create products.
First and foremost, looking at any security-mature organisation, one will notice that responsibility is clearly established at a leadership level, with security being the sole responsibility for key roles such as a Chief Information Security Officer (CISO). The CISO tends to have broad responsibility for the entire organization, and products are but one of the many concerns. One of the trends that has emerged in medical device manufacturers is the creation of a new role for a Product Security Officer or Product Security Group, whose sole purpose is to help guide the product development processes and tools to adopt secure-by-design principles.
The three mis-steps described below are things I regularly see when a company sets up a new initiative around security. They are things we often end up discussing with manufacturers to help them drive faster and more effective security programs.
In my experience, many manufacturers start with only a vague understanding of what security is and how to achieve it, primarily informed by what not to do through sensationalized media headlines. Independent security researchers and media exposure are a fundamental part of the security industry, yet those headlines and articles do not address the critical topic of organisational support to build security into devices.
- Lack of responsibility and accountability
Too often, I see organisations that do not have a product security function at all. In these cases, either no one is thinking about security or security is supposed to be addressed by everyone. When security is everybody’s responsibility, then no one owns it. This type of organisation structure will lead to basic security needs being left out of the development process.
- Assigning security as a part-time job
I often see organisations assign security responsibility as a part-time job to someone who has other large responsibilities, such as quality or regulatory. Having a single person responsible for security who is also responsible for additional aspects like project management or product quality is insufficient. This type of organisational structure will lead to security needs that take a backseat to other items such as project cost, schedule or performance. This lowering of priority will lead to increased risks for the organisation with respect to regulatory approval or media exposure, and in the worst case may lead to increased safety risks.
Both of these approaches suffer from setting up a clear line of ownership, responsibility and priority. Product security is broad, complex and different enough that it needs to have dedicated resources that focus all their time on security. Just like building a safety program that drives the organisation to compliance with appropriate standards such as ISO 14971, medical device manufacturers need to build that same organisational capability for security.
- Applying traditional security software tools to products
Organisations will often start out by assigning someone whose background is not product development, but rather information technology. This organisational structure causes a lot of friction between the IT security group and the product development group, because neither understands each other very well. The solutions IT professionals are used to do not always apply very well on medical devices. Likewise, the development organisation struggles to identify and incorporate the true security needs from the IT security function.
Looking again at safety as an example, one would not assign product safety responsibility to a person or group that has no background in building devices for patient care. Addressing the problems requires new and different skillsets. There are two ways that organisations grow their capability in this manner. First is by hiring in resources with backgrounds in security and product development. While this is sometimes possible, the mix of skills is very rare, and organizations have learned that the next best approach is to take an engineer already familiar with product development and teach them security. This approach will take time but can be a rewarding career path for the right individual.
Never too late
We have seen these mis-steps many times through the Building Security In Maturity Model (BSIMM), a decade-old study which aims to understand how real-world organisations are executing their software security strategies. Any medical device manufacturer interested in security needs to be familiar with BSIMM in addition to the regulatory environment and medical devices security standards.
Organisations all start their security journey in different places and there are significant challenges with building organisational capability and culture change. However, wherever a company is in their security journey, avoiding the three common mis-steps above will cut years off the timeline it takes to build that new organisational capability.