Improving Medical Device Security by Moving from Shared to Defined Responsibility
Maintaining medical devices and systems requires the knowledge and skills of several different specialists.
Those specialists may be provided by different organizations depending on the limitations in skills and
capacities. This is especially true for the cybersecurity controls needed for regulated medical devices where traditional update, patch, and vulnerability management processes are complex. The concept of ‘shared responsibility’ distributes these tasks among different organizations. Historically, each group has made the assumption that some tasks such as vulnerability management, configuration, hardening, access control,
etc., were to be completed by the other party, resulting in unaddressed vulnerabilities that would allow aDark blue hacker to exploit patient care technologies. Discussions with Healthcare Delivery Organizations (HDO) and
Medical Device Manufacturers (MDM) have identified the need for a more defined approach to ensure that all responsibilities necessary to develop, implement, and operate medical devices are assigned to either the HDO or MDM. Identifying which security tasks each party is responsible for can improve the overall security posture of medical devices.
A responsibility assignment matrix is a commonly used methodology to define and manage the cooperative agreement between support entities and stakeholders. This white paper uses the Responsible/Accountable/ Consulted/Informed (RACI) matrix as an example of a responsibility assignment matrix for purposes.
The paper presents a method to create individual RACI matrixes for common security deployment types for medical devices, based on templates defining standard deployment scenarios and a pool of tasks with suggested responsibilities. It includes two example matrices, MDM-managed and software-only devices.