ST. LOUIS, MO – St. Louis-based firm Alpine Security (“Alpine”) aims to secure the healthcare industry from cyberattacks. One way Alpine is securing healthcare is by working with medical device manufacturers to help ensure their devices are safe from cybercriminals. Medical devices range from external systems, such as drug infusion pumps or patient monitoring systems to implantable (internal) devices, like pacemakers. Cybercriminals go after medical devices for four main reasons:
-
To steal Protected Health Information (PHI) (Motive: Financial Gain)
-
Ransomware (Motive: Financial Gain)
-
To harm or kill a patient (Motive: Terrorism or Assassination)
-
To use the medical device as a beachhead for enemy advancement (Motive: Foothold to Expand Operations)
“Attacks against medical devices are often high risk and may harm or kill a patient. We’re fortunate to work with many medical device manufacturers and learn how their devices are advancing medicine and improving healthcare. Our goal is to assist medical device manufacturers with their mission of improving healthcare.
Alpine developed and introduced its “Evolution” methodology for medical device cybersecurity assessments and testing to help medical device manufacturers mature the cybersecurity of their devices. Alpine’s Evolution approach is based on Navy SEAL Evolutions. The SEALs use Evolutions to describe each progressive event in a training schedule. The general idea is that as you progress through each Evolution you mature and evolve. Alpine assists medical device manufacturers to evolve the cybersecurity of their medical devices using a structured, phased approach.
Alpine’s medical device cybersecurity assessment and penetration testing methodology has two main Evolutions and can include as many as necessary. During each Evolution, the medical device is thoroughly assessed and tested. The first Evolution establishes a cybersecurity baseline for the medical device. This baseline includes all the ways an attacker could gain entry to and compromise the device, as well as the risk associated with each method of compromise. Higher rated risks typically affect patient safety or privacy. After the first Evolution, the medical device manufacturer works to fix the vulnerabilities identified by Alpine Security. The next Evolution validates the vulnerabilities were fixed and checks for any new vulnerabilities that may have been introduced. This process, the Evolution, repeats as many times as necessary to get the medical device to an acceptable risk level.
Alpine’s Evolutions include the following activities, in addition to a technical “white box” penetration test:
-
Identification and prioritization of risk pertaining to confidentiality, integrity, and availability
-
Identification and assessment of all entry points into the device (system)
-
Assessment of existing cybersecurity controls
-
Identification and assessment of data flows
-
Identification and assessment of use case risk
-
Threat (Attack) Tree development
-
Assessment of the cybersecurity Traceability Matrix
-
Assessment of medical device standard operating procedures
-
Assessment of software cybersecurity architecture
For more information on Alpine Security’s medical device cybersecurity assessment and testing, contact Alpine Security at 844-925-7463 / [email protected] or visit their website at www.alpinesecurity.com.
