I have written pieces here, here, here and here on why encryption should be a required security countermeasure for network medical devices – but curiously, the HIPAA Security rule – Appendix A does not specifically require encryption.
The final FDA guidance on cyber security for medical devices takes a similar position that we’ve adopted over the years – namely analyzing threats (“Hazards”) and implementing a prioritized security countermeasure plan.
In our security and privacy compliance practice for biomed in Israel – we always take a position that the first step in determining the best and most cost-effective security countermeasures for your medical device is to develop a threat model and perform a threat analysis. Encryption may or may not be the first security countermeasure you must implement in your mobile medical device (think about fixing interface bugs first…) but it will probably be in your top 5
Regardless of why the authors of the HIPAA security rule did not require encryption – it is instructive to take a look at the history of encryption and how we arrived at where we are today – where encryption is widely considered to the silver bullet of security.
Learn about key cryptology events throughout
the ages with the Egress History of Encryption infographic. Egress
Software Technologies are providers of email encryption software and file encryption & large file transfers.