Coordinating Disclosures of Medical Device VulnerabilitiesDana-Megan Rossi of Manufacturer Becton Dickinson Describes Company's Process
As cyberthreats facing healthcare organizations soar, medical device maker Becton, Dickinson and Co. has ramped up its process for coordinated disclosure of vulnerabilities to help identify, assess and communicate issues to regulators and industry stakeholders, says Dana-Megan Rossi, the manufacturer's director of information security threat and vulnerability management.
"We work hand-in-hand with security researchers and really welcome them to be part of our process - they help to make our products better," Rossi says in an interview with Information Security Media Group.
"They help us to find things, because technology is going to age. Eventually everything is going to come to the surface where you're going to either need to remediate or mitigate a potential vulnerability."
BD encourages independent researchers to reach out to the manufacturer about the discovery of vulnerabilities, she notes. The company's product security incident response team, research and development team and product quality team work closely with any researchers filing a report, she notes.
Potential security vulnerabilities are carefully assessed, she adds. "Regardless of whether or not there's any type of patient safety issue, we're always going to disclose and communicate within 30 days."
BD also works with the Department of Homeland Security, the Food and Drug Administration and the Health Information Sharing and Analysis Center "to make sure we can put together a responsible disclosure that lets our customers know 'here's what we found, here's what you need to know about it, and here are steps to either remediate it ... or to mitigate it'."
In this interview (see audio link below photo), Rossi also discusses:
- Security challenges involving legacy devices;
- The impact of COVID-19 on the cybersecurity threat landscape;
- The state of medical device cybersecurity and areas of progress.
Rossi, an attorney, leads global information security threat and vulnerability management at BD. Her work focuses on strategic and tactical security operations and initiatives, collaborations and global programs to enhance security. She also serves as the healthcare and public health sector chief for the FBI's InfraGard for the National Capital Region and is a member of the Cyber Health Working Group.