Modern system architecture for medical devices is a triangle of Medical device, Mobile app and Cloud services (storing, processing and visualizing health data collected from the device). This creates the need for verifying a chain of trust: patient, medical device, mobile app software, distributed interfaces, cloud service software, cloud service provider.
No get out of jail free card if your cloud provider is HIPAA compliant.
Medical device vendors must implement robust software security in their device, app and cloud service layers and implement regulatory compliance in people and technical operations. If you are a medical device vendor, you cannot rely on regulatory compliance alone, nor can you rely on your cloud provider being HIPAA compliant. I’ve written here and here how medical devices can be pivot points for attacking other systems including your customers’ and end users devices.
Regulatory compliance is not security
There are two notable regulatory standards relating to medical devices and cloud services – the HIPAA Security Rule and the FDA Guidance for Management of cybersecurity in medical devices. This is in addition to European Data Protection requirements and local data security requirements that a particular country such as France, Germany or New Zealand may enforce for protecting health data in the cloud.
The American security and compliance model is unique (and it is typically American in its flavor) – it is based on market forces – not government coercion.
Complying with FDA Guidance is a requirement for marketing your medical device in the US.
Complying with the HIPAA Security Rule is a requirement for customers and covered entity business associates to buy your medical device. You can have an FDA 510(K) for your medical device and still be subject to criminal charges if your cloud services are breached. HHS has announced in the Breach Notification Rule and here that they will investigate all breaches of 500 records and more. In addition, FDA may enforce a device recall.
But – compliance is not the same as actual enforcement of secure systems
Verifying the chain of trust
Medical device vendors that use cloud services will generally sign upstream and downstream business associate agreements (BAA) but hold on:
There is an elephant in the room: How do you know that the cloud services are secure? If you have a data breach, you will have to activate your cyber-security insurance policy not your cloud providers sales team.
Transparency of the cloud provider security operations varies widely with some being fairly non-transparent ()and others being fairly transparent (Rackspace Cloud are excellent in their levels of openness before and after the sale) in sharing data and incidents with customers.
When a cloud service provider exposes details of its own internal policy and technology, it’s customers (and your medical device users) will tend to trust the provider’s security claims. I would also require transparency by the cloud service providers regarding security management, privacy and security incident response.
One interesting and potentially extremely valuable initiative is the Cloud Trust Protocol.
The Cloud Trust Protocol (CTP) enables cloud service customers to request and receive data regarding the security of the services they use in the cloud, promoting transparency and trust.
The source code implements a CTP server that acts as a gateway between cloud customers and cloud providers:
- A cloud provider can push security measurements to the CTP server.
- A cloud customer can query the CTP server with the CTP API to access these measurements.
The source code is available here on Github.