Healthcare , Industry Specific
Developing Medical Device Cybersecurity Maturity Benchmarks
Rob Suárez of Becton, Dickinson & Co. Discusses Effort to Promote Best PracticesAn effort to establish industry benchmarks for medical device cybersecurity maturity aims to help advance overall cybersecurity in the healthcare sector, says Rob Suárez, CISO of medical device maker Becton, Dickinson and Co., or BD.
The benchmark development effort is being championed by two health sector private-public coalitions - the Medical Device Innovation Consortium, or MDIC, and the Healthcare and Public Health Sector Coordinating Council, or HSCC - in partnership with consulting firm Booz Allen Hamilton, says Suárez, who is chair of the MDIC cybersecurity working group leading the project.
A critical part of the benchmark development work will involve analysis of findings from a self-assessment cybersecurity maturity survey that medical device vendors are invited to take online.
The survey includes 44 questions based on the HSCC's Medical Device and Health IT Joint Security Plan's maturity assessment framework. But an organization's previous or current use of the Joint Security Plan is not a requirement for participation in the self-assessment survey, Suárez says. He also says that all identifiable information provided by respondents will be kept confidential. Responses from the online survey will be gathered until June 1.
In developing the benchmark, MDIC and Booz Allen Hamilton will analyze the self-assessment survey findings and examine the medical device industry's adoption of certain security best practices - such as the use of various design controls, according to Suárez.
For instance, that might include evaluating the industry's use of automation to analyze software and code, or static code analysis, Suárez says in an interview with Information Security Media Group.
"That's a best practice that many companies can implement within their own R&D organizations so that they are producing more secure software and code. It also reduces the amount of time [spent by] software developers to go back and fix their code," he says.
"The benchmarking will allow you to establish 'How good are you doing with static code analysis or vulnerability scanning?' and other best practices," he says. "Based on the industry benchmark, you can establish goals for your own organization … to improve and seek parity with the industry benchmark … or exceed it."
In the interview (see audio link below photo), Suárez also discusses:
- Details about the medical device cybersecurity maturity self-assessment tool;
- Common areas of medical device cybersecurity immaturity among organizations;
- Ways to improve the state of medical device cybersecurity.
Suárez serves as CISO at BD, overseeing cybersecurity across the company’s enterprise, IT and manufacturing systems. He also chairs the cybersecurity steering committee for the Medical Device Innovation Consortium and the cybersecurity working group for the Advanced Medical Technology Association.