In-brief: GE Healthcare’s Chief Technology Officer said his company is modeling its product security program on Microsoft’s Trustworthy Computing program – and tapping the Redmond company for experts to help them do it.
GE Healthcare might not be a company that seems to have much in common with Bill Gates brainchild: Redmond, Washington based Microsoft. But when it comes to securing its products from software based attacks, the medical device giant is paying close attention to Gates’ and Microsoft’s Trustworthy Computing playbook.
With an eye to securing its ever-more connected medical devices from cyber attack, GE Healthcare has embraced an approach used by Microsoft almost two decades ago as it struggled to overhaul the security of its Windows operating system, Internet Explorer web browser and Office productivity software.
Among other things, GE Healthcare has been filling out its product security team with Microsoft veterans and adopting Microsoft’s secure development lifecycle (SDL) approach to managing product security, according to Chris Larkin, the Chief Technology Officer at GE Healthcare.
Larkin described the company’s approach to securing its products during an address at the Internet of Things World event in Boston on Tuesday.
GE Healthcare, he said, was looking for ways to balance the benefits and efficiencies of new “smart” medical devices and instruments with the risks that go along with connecting such equipment to clinical networks and, more generally, the Internet. To do that, the company was looking to Microsoft’s Secure Development Lifecycle as a model.
That approach emphasizes security throughout a product’s life: from design and development through to deployment. Specifically, Larkin mentioned GE Healthcare’s focus on what Microsoft refers to as “SD3,” or “Secure by Design, Secure by Default and Secure in Deployment.” (Microsoft actually refers to SD3+C, which includes “Secure Communications,” though Larkin didn’t mention that.)
GE is emphasizing threat modeling for its products, anticipating malicious attacks and actors with an interest in medical devices and healthcare environments – an element that is often missing from product design in the medical device field.
GE Healthcare has also attracted a number of Microsoft security pros to its ranks. Among them: Bob Fruth, who spent six years as the Security Program Manager for Trustworthy Computing and is now a Principal Cybersecurity Consultant at GE Healthcare. There is also Matt Clapham, a former Microsoft Security Engineer and Security Program manager who now also works on GE Healthcare’s Product Development Security team and Valery Berestetsky, who spent 13 years as a security and program manager at Microsoft before joining GE Healthcare’s Product Development Security team.
Larkin said GE Healthcare was also following Microsoft’s model in pushing responsibility for product security down to business unit managers, rather than having security imposed on business units from outside. “We make business unit managers completely and wholly responsible for cyber security,” he said. “That’s another lesson we learned from Microsoft.”
He said the benefits of the SDL process also entail risks. “You can get so strong with ‘cyber’ that you miss out on business opportunities,” Larkin said. “You can’t allow the cyber security team to keep you from making money,” he said.
GE Healthcare’s turn to Redmond for a model on product security is perhaps not surprising. The two companies have deep ties. Microsoft and GE Healthcare teamed to form Caradigm, a joint venture to create a healthcare performance management suite. (Microsoft later sold its stake in Caradigm to GE.)
The security of medical devices has become a pressing issue for both federal regulations and medical device manufacturers. In August, the stock of medical device maker St. Jude plunged after a report by the firm Muddy Waters called for investors to bet against (or “short”) the company’s stock over serious security vulnerabilities in a range of the company’s implantable cardiac devices discovered by the firm MedSec.
Recently, the firm Rapid7 and Johnson & Johnson disclosed a software flaw in a wearable insulin pump sold by Johnson & Johnson that has the potential to allow a malicious actor to force the device to administer doses of insulin to a patient without their knowledge, according to security researchers at the firm Rapid7.