Category: medical device security

  • 3 things to do before you spend money on a HIPAA consultant for your clinical trial

    Flaskdata specializes in same data data and safety solutions for clinical trials. Flaskdata is a technology company specializing in clinical datamanagement and monitoring. We are accomplished at providing our customers with the most effective way to achieve high quality clinical dataand assure patient safety. There is no single solution that works for everyclinical trial. We work […]

  • WannaCrypt attacks

    For your IMMEDIATE notice: If you run medical device Windows management consoles, run Windows Update and update your machine NOW. This is my professional advice considering the new ransomware worm out there attacking machines MS17-010 has been out more than a month, but we have to assume that that the majority of Windows-based medical devices […]

  • Encryption and medical device cyber security

    I have written pieces here, here, here and here on why encryption should be a required security countermeasure for network medical devices – but curiously, the HIPAA Security rule – Appendix A does not specifically require encryption. The final FDA guidance on cyber security for medical devices takes a similar position that we’ve adopted over the years – […]

  • The chasm between FDA regulatory and cyber security

      When a Risk Analysis is not a Risk analysis Superficially at least, there is not a lot of difference between a threat analysis that is part of a software/hardware security assessment and a risk analysis (or hazard analysis) that is performed by a medical device company as part of their submission to the FDA. […]

  • 3 things a medical device vendor must do for security incident response

    You are VP R&D or CEO or regulatory and compliance officer at a medical device company. Your medical devices measure something (blood sugar, urine analysis, facial anomalies, you name it…). The medical device interfaces to a mobile app that provides a User Interface and transfers patient data to a cloud application using RESTful services over HTTPS. Sound familiar? […]

  • The importance of risk analysis for HIPAA compliance

    A chain of risk analysis The HIPAA Final Rule creates a chain of risk analysis and compliance from the hospital, downstream to the business associates who handle / process PHI for the hospital and sub-contractors who handle / process PHI for the business associate. And so on. The first thing an organization needs to do is a risk analysis. […]

  • On Shoshin and Software Security

    I am an independent software security consultant specializing in medical device security and HIPAA compliance in Israel.   I use the state-of-the art PTA – Practical Threat Analysis tool to perform quantitative threat analysis and produce  a bespoke, cost-effective security portfolio for my customers that fits their medical device technology. There are over 700 medical device companies […]

  • Why anti-virus doesn’t work for medical devices

    Are you checking off medical device security in your hospital with anti-virus:  falling for security theater; feeling secure and enjoying the show,  but in fact being less secure? A medical device is not an office PC The most commong security countermeasure in use today is anti-virus software for Windows-based workstations  to protect the Windows PC from […]