CSA Official Press Release

Published 08/07/2018

CSA, OWASP Issue Updated Guidance for Secure Medical 
Device Deployment

CSA, OWASP Issue Updated Guidance for Secure Medical 
Device Deployment

Report includes enhanced sections on purchasing and mechanism controls, as well as relevant FDA guidance

BLACKHAT LAS VEGAS – AUGUST 7, 2018 –The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, in conjunction with the Open Web Application Security Project (OWASP) today released OWASP Secure Medical Device Deployment Standard Version 2.0, an updated guide to the secure deployment of medical devices within a healthcare facility.

Considerable enhancements were made throughout the document, especially to the section on purchasing controls with an eye to security audits and evaluation, privacy impact assessment, and support evaluation controls. Additionally, the updated document now includes relevant guidance from the Federal Drug Administration.

“Too many of today’s network-enabled security devices are still not being deployed with security in mind, exposing healthcare providers and their patients to data breaches at best and potential negative health consequences at worst. With ransomware and botnets targeting IoT devices, it is more essential than ever that devices are developed and deployed with security in mind,” said OWASP Project Leader Christopher Frenz, who authored the original paper.

This report is reflective of how organizations are increasingly putting more resources toward supporting the development community in equal parts with security.

“The growth of electronic medical records and network-enabled devices has allowed healthcare providers to enhance their level of service and the efficiency with which they provide care. However, this same interconnectedness has opened a Pandora’s box of security issues involving legacy systems and healthcare devices that were not designed with security in mind,” said Hillary Baron, Research Program Manager, CSA. “It’s our hope that this document provides a clear roadmap for healthcare organizations looking to ensure that medical devices and systems across the organization follow IT security best practices.”

The report, to which CSA’s Internet of Things (IoT) Working Group provided input and significant contributions, provides guidance in areas such as:

  • Purchasing controls: Security audits/evaluation, privacy impact assessment; and support evaluation;
  • Perimeter defenses: Firewalls, Network Intrusion Detection/Prevention System (NIDS/NIPS), and Proxy Server/Web Filters;
  • Network security controls: Network segmentation, internal firewalls, internal network IDS/IPS, syslog servers, log monitoring, vulnerability scanning and DNS sinkholes
  • Device security controls: Change default credentials, account lockout, enabling secure transport, spare copies of firmware/software, device configuration backup, baseline configurations, storage encryption, different user accounts, restricting access to management interface, updating mechanisms, compliance monitoring and physical security;
  • Interface and central station security: OS hardening, encrypted transport, and message security-HL7 v3 security standards;
  • Security testing: Penetration tests; and
  • Incident response: Incident response plan and mock incidents.

Download OWASP Secure Medical Device Deployment Standard Version 2.0.

About Open Web Application Security Project

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Its mission is to make software security visible so that individuals and organizations are able to make informed decisions. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.

Share this content on your favorite social network today!

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.

For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.