CSA, OWASP Issue Updated Guidance for Secure Medical 
Device Deployment

Report includes enhanced sections on purchasing and mechanism controls, as well as relevant FDA guidance

BLACKHAT LAS VEGAS – AUGUST 7, 2018 –The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, in conjunction with the Open Web Application Security Project (OWASP) today released OWASP Secure Medical Device Deployment Standard Version 2.0, an updated guide to the secure deployment of medical devices within a healthcare facility.

Considerable enhancements were made throughout the document, especially to the section on purchasing controls with an eye to security audits and evaluation, privacy impact assessment, and support evaluation controls. Additionally, the updated document now includes relevant guidance from the Federal Drug Administration.

“Too many of today’s network-enabled security devices are still not being deployed with security in mind, exposing healthcare providers and their patients to data breaches at best and potential negative health consequences at worst. With ransomware and botnets targeting IoT devices, it is more essential than ever that devices are developed and deployed with security in mind,” said OWASP Project Leader Christopher Frenz, who authored the original paper.

This report is reflective of how organizations are increasingly putting more resources toward supporting the development community in equal parts with security.

“The growth of electronic medical records and network-enabled devices has allowed healthcare providers to enhance their level of service and the efficiency with which they provide care. However, this same interconnectedness has opened a Pandora’s box of security issues involving legacy systems and healthcare devices that were not designed with security in mind,” said Hillary Baron, Research Program Manager, CSA. “It’s our hope that this document provides a clear roadmap for healthcare organizations looking to ensure that medical devices and systems across the organization follow IT security best practices.”

The report, to which CSA’s Internet of Things (IoT) Working Group provided input and significant contributions, provides guidance in areas such as:

• Purchasing controls: Security audits/evaluation, privacy impact assessment; and support evaluation;
• Perimeter defenses: Firewalls, Network Intrusion Detection/Prevention System (NIDS/NIPS), and Proxy Server/Web Filters;
• Network security controls: Network segmentation, internal firewalls, internal network IDS/IPS, syslog servers, log monitoring, vulnerability scanning and DNS sinkholes
• Device security controls: Change default credentials, account lockout, enabling secure transport, spare copies of firmware/software, device configuration backup, baseline configurations, storage encryption, different user accounts, restricting access to management interface, updating mechanisms, compliance monitoring and physical security;
• Interface and central station security: OS hardening, encrypted transport, and message security-HL7 v3 security standards;
• Security testing: Penetration tests; and
• Incident response: Incident response plan and mock incidents.

Download OWASP Secure Medical Device Deployment Standard Version 2.0.

About Open Web Application Security Project

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Its mission is to make software security visible so that individuals and organizations are able to make informed decisions. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.