Tips to Improve Medical Device Vulnerability Communications
New Health Sector Coordinating Council guidance aims to help medical device makers improve their communications regarding security vulnerabilities in their products, says Matt Russo, a security leader at Medtronic and a member of the task group that developed the document.
“There’s broad acceptance in the need to be transparent about vulnerabilities in medical devices and technologies that clinicians and patients are using in the healthcare space,” he says in an interview with Information Security Media Group.
The mission of HSCC’s recently issued Medtech Vulnerability Communications Toolkit document is to assist medical device vendors in “demystifying” – for clinicians, patients and non-security professionals – vulnerabilities that involve some of the most technically advanced medical therapies available, he says.
“We acknowledge there was a challenge, where these [vulnerability] communications were coming out and were technically accurate but were very difficult to understand by folks without a security or technology background,” he says.
The toolkit provides a template for how medical device vendors can “hone their product vulnerability communications in plain terms with a clear priority of what’s most important upfront” for non-technical users and consumers of the devices, he says.
The guidance can also jumpstart security vulnerability coordinated disclosure and communication programs by medical device manufacturers that are not as mature in those activities, he says.
The toolkit was created by an HSCC task group of experts from medical device makers of different types and sizes, healthcare delivery organizations and the Food and Drug Administration, he says.
In the interview (see audio link below photo), Russo also discusses:
- Other details contained in the medical device guidance;
- Challenges involving mitigating medical device security vulnerabilities;
- Medical device life cycle concerns.
Russo is a senior director in the global product security office at Minneapolis, Minnesota-based medical device manufacturer Medtronic. He helps ensure the security and safety of Medtronic products. Prior to Medtronic, Russo spent nearly a decade with consulting firm Deloitte, where he served financial services and life and health sciences clients in a variety of engagements, focusing on risk, controls, technology and security.