-
Killed by code – back to the future
I hope that the code in your digital therapeutic for treating autistic children, doesn’t look like this. Back in 2011, I thought it would only be a question of time before we have a drive by execution of a politician with an ICD (implanted cardiac device). In Jan 9, 2017 FDA reported in a FDA Safety […]
-
What is more important – patient safety or hospital IT?
What is more important – patient safety or the health of the enterprise hospital Windows network? What is more important – writing secure code or installing an anti-virus? A threat analysis was performed on a medical device used in intensive care units. The threat analysis used the PTA (Practical threat analysis) methodology. Our analysis considered […]
-
The chasm between FDA regulatory and cyber security
When a Risk Analysis is not a Risk analysis Superficially at least, there is not a lot of difference between a threat analysis that is part of a software/hardware security assessment and a risk analysis (or hazard analysis) that is performed by a medical device company as part of their submission to the FDA. […]
-
3 things a medical device vendor must do for security incident response
You are VP R&D or CEO or regulatory and compliance officer at a medical device company. Your medical devices measure something (blood sugar, urine analysis, facial anomalies, you name it…). The medical device interfaces to a mobile app that provides a User Interface and transfers patient data to a cloud application using RESTful services over HTTPS. Sound familiar? […]
-
On Shoshin and Software Security
I am an independent software security consultant specializing in medical device security and HIPAA compliance in Israel. I use the state-of-the art PTA – Practical Threat Analysis tool to perform quantitative threat analysis and produce a bespoke, cost-effective security portfolio for my customers that fits their medical device technology. There are over 700 medical device companies […]
-
Shock therapy for medical device malware
Israel has over 700 medical device vendors. Sometimes it seems like half of them are attaching to the cloud and the other are developing mobile apps for all kinds of crazy, innovative applications like Healthy.io ( Visual Input Turned Into Powerful Medical Insight – translation: an app that lets you do urine analysis using your smart phone). […]
-
The death of the anti-virus
Does anti-virus really protect your data? Additional security controls do not necessarily reduce risk. Installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements. We use the quantitative threat analysis tool – PTA that enables […]
-
Why anti-virus doesn’t work for medical devices
Are you checking off medical device security in your hospital with anti-virus: falling for security theater; feeling secure and enjoying the show, but in fact being less secure? A medical device is not an office PC The most commong security countermeasure in use today is anti-virus software for Windows-based workstations to protect the Windows PC from […]
-
Health Information Technology Patient Safety Action & Surveillance Plan
This is a quick update on two new documents released by the HHS and the IMDRF: Health Information Technology Patient Safety Action & Surveillance Plan The US Department of Health and Human Services published on July 2, 2013 the Health Information Technology Patient Safety Action & Surveillance Plan. The FDA belongs to the HHS. The plan defines several […]
-
Software in Medical Devices – Update
We have previously written about various aspects of the software development process, especially, the verification and validation activities in implanted and invasive medical devices. Here is an update on what is happening in the regulatory arena and how the regulatory groups are checking up on what we are doing. Software Recalls 2012 The estimate for software recalls […]