Tuesday, April 18, 2017

Medical devices security sustains to be critical question in buying decision

Healthcare agencies searching to purchase medical devices are doing their homework and initiating to inquire manufacturers more queries about security than in the past, claims George Gray, chief technology officer and vice president of software and information systems at Ivenix, a manufacturer of infusion pumps. Medical devices security sustains to be critical question in buying decision.

That is a good start, in accordance to Gray. But, several potential buyers are not aware that pumps are small computers and prospective customers should be asking the similar questions they would inquire when assessing any other kind of information system.

They requirement to challenge vendor assertions that their pumps and other devices are secure by inquiring what kinds of vulnerabilities the devices have as well as the plan and schedule for decreasing the vulnerabilities. Because pumps are small computers confronting all the threats that other computers face, providers must not tolerate hedging by vendors on security answers, Gray suggests. Medical devices security sustains to be critical question in buying decision.

Prospective customers should hope vendors to come clean on any current susceptibilities and resolution plans. In specific, buyers should inquire if they can handle user access, roles, credential and permissions on a device, which offers the user more control over security. Also, they should ask if the vendor contracts with ethical hackers to assess vulnerabilities as its products are being built; the hired help will find vulnerabilities the vendor never knew, Gray contends.

Vendors might say their pumps cannot be hacked because they are running on a proprietary operating system and not Linux or Windows. Although, Gray claims the pumps remain vulnerable because whatever operating system is being used still can be struck by a denial of service attack where a ping, or message, is sent to a device or web site inquiring permission to enter and the pings just keep coming until the device is overwhelmed. “A proprietary operating system can be hacked as conveniently as any other operating systems,” he further adds.

Additionally, vendors should be asked if they can make sure that patient data is locked down and encrypted when being sent as a message or being stored. Gray suggests asking what the vendor will do the day it is hacked and to elaborate the resources it has to identify and fix issues, and processes to rapidly get the fix out to customers. Moreover, he advises asking if a vendor can download software to the customer on a daily basis merely as Microsoft can. Medical devices security sustains to be critical question in buying decision.

“At this stage of the game it is significant to have a straight talk and lay cards on the table,” Gray recommends.

He analyzes that customers often are coming in with a series of questions ready and vendors might be more focused on answering the queries in a way to secure the sales position with the customer, which can turn into a heated discussion with the customer initiating to distrust the vendor.

If a vendor’s present product is not as up to speed on security as it should be, the vendor should be candid with the customer and also giving few options, like falling back on use of a private network until the new product comes out, Gray adds.

 

 

No comments:

Post a Comment