BlackBerry have announced DTSec, a medical device cybersecurity standard created and managed by an international, non-profit consortium, led by the BlackBerry CHACE team.
Contributors to the development of DTSec have included physicians, nurses, medical device manufacturers, university researchers, industry cybersecurity/technology firms (e.g. IBM and Intel, in addition to BlackBerry), ethical hackers, security assessment labs, and government regulators including FDA/CDRH, Health Canada, NIH, DHS, and others.
The working group has set its near-term sights on protecting the safe functioning of diabetes devices, such as body-worn insulin pumps, which are increasingly exposed to the security risks of wireless networks while being relied upon for life-saving treatment by hundreds of millions of people worldwide.
DTSec leverages the excellent work of other international standards, including ISO 15408 and IEC 62304, to offer a methodology for specifying the security requirements of any product type (called a protection profile) and evaluating that a specific product faithfully meets those requirements. The DTSec evaluation program leverages expert independent test labs to assess a product’s ability to withstand cyber attack from well-resourced attackers. This assessment includes sophisticated penetration testing.
In other words, unlike many other security certifications used in the world today, DTSec is not a paper exercise; this is the real deal. Nevertheless, a crucial goal of DTSec is to ensure assessments can be performed efficiently, at the speed of consumer electronics and without adding undue financial burden to product vendors.
The DTSec draft documents (general standard and the protection profile for connected diabetes devices) are now available for public review prior to final ratification.
BlackBerry’s hope and expectation is that medical device manufacturers and their suppliers, with the encouragement of FDA and other international regulatory bodies, will take a leadership role in assuring consumers of the security of their products by having them evaluated and certified under DTSec.
In addition, BlackBerry CHACE will strive to promulgate a similar approach to other industries, such as automotive and industrial control systems, which all suffer from the same problem, one of the world’s critical technology problems: the crisis of confidence in our digital security.
