In 2015, I made a call to arms for improved security standards. Blindly trusting the word of developers and enterprises claiming great security has not worked out so well. Despite massive increases in IT security spending, cyber attacks cost businesses a record half billion dollars in 2015. In the healthcare industry specifically, attackers have found a soft target, with 8 of the 10 largest healthcare breaches in history occurring in 2015. The world needs – deserves – trustworthy methods of assessing the security capabilities claimed by devices, software, networks, and systems. As I said during National Cybersecurity Awareness Month, we cannot hope to raise the security bar if we don’t know how to measure its height.
I’m very pleased to announce the first major salvo in this war. DTSec is a medical device cybersecurity standard created and managed by an international, non-profit consortium, led by our BlackBerry CHACE team (for more info, read my blog from December). Contributors to the development of DTSec have included physicians, nurses, medical device manufacturers, university researchers, industry cybersecurity/technology firms (e.g. IBM and Intel, in addition to BlackBerry), ethical hackers, security assessment labs, and government regulators including FDA/CDRH, Health Canada, NIH, DHS, and others. The working group has set its near-term sights on protecting the safe functioning of diabetes devices, such as body-worn insulin pumps, which are increasingly exposed to the security risks of wireless networks while being relied upon for life-saving treatment by hundreds of millions of people worldwide.
DTSec leverages the excellent work of other international standards, including ISO 15408 and IEC 62304, to offer a methodology for specifying the security requirements of any product type (called a protection profile) and evaluating that a specific product faithfully meets those requirements. The DTSec evaluation program leverages expert independent test labs to assess a product’s ability to withstand cyber attack from well-resourced attackers. This assessment includes sophisticated penetration testing. In other words, unlike many other security certifications used in the world today, DTSec is not a paper exercise; this is the real deal. Nevertheless, a crucial goal of DTSec is to ensure assessments can be performed efficiently, at the speed of consumer electronics and without adding undue financial burden to product vendors.
The DTSec draft documents (general standard and the protection profile for connected diabetes devices) are now available for public review prior to final ratification. I will blog again once the finalized standard is published.
Our hope and expectation is that medical device manufacturers and their suppliers, with the encouragement of FDA and other international regulatory bodies, will take a leadership role in assuring consumers of the security of their products by having them evaluated and certified under DTSec. In addition, BlackBerry CHACE will strive to promulgate a similar approach to other industries, such as automotive and industrial control systems, which all suffer from the same problem, one of the world’s critical technology problems: the crisis of confidence in our digital security.