DTSec DTS Cybersecurity Standard for Connected Diabetes Devices

BackgroundPeopleStandardProtection ProfilePublic Comments
Approved Testing LabsCertified Devices

Diabetes Technology Society (DTS) is pleased to announce that the steering committee members, advisors, and consultants of the DTS Cybersecurity Standard for Connected Diabetes Devices (DTSec) project have developed the DTS Cybersecurity Standard for Connected Diabetes Device Security and the DTS Protection Profile for Connected Diabetes Devices.

Press Release

New Standard to Raise Confidence in the Security of Network-Connected Medical Devices through Expert Evaluation

May 23, 2016 – MEDSec Conference, San Jose, CA – Diabetes Technology Society today announced the first official public release of DTSec, a cyber security standard whose goal is to raise confidence in the security of network-connected medical devices through independent expert security evaluation.

This standard initially targets networked life-critical devices such as insulin pump controllers but inherently could be used in any medical product or component contributing to the protection of high value assets. This standard will provide the foundation for effective cybersecurity standards across other connected devices and the broader “Internet of Things (IoT)”.

DTSec leverages ISO/IEC 15408 to provide a framework for risk-based, multi-stakeholder definition of security requirements in the form of DTSec-published Protection Profiles (PPs) and product-specific Security Targets (STs), derived from the PP. DTSec-approved labs evaluate the products to ensure they meet the ST’s security requirements. Successfully evaluated products are then publicly listed for the world to see.

According to Dr. David Klonoff, Medical Director of the Diabetes Research Institute at Mills-Peninsula Medical Center (Sutter Health) and chair of the DTSec steering committee, “DTSec is an important step in the fight to not only protect patients from hacking threats but also to provide consumers and regulators with the confidence needed to leverage the vast potential of the Internet of Medical Things in improving quality of life.”

“We can’t hope to raise the cybersecurity bar if we don’t know how to measure its height,” said David Kleidermacher, BlackBerry Ltd. Chief Security Officer and one of the standard’s lead authors. “The DTSec development process, standard, and protection profiles provide a blueprint for efficient, measurable security to be established for connected electronic products and systems in any industry.”

“We at Ascensia Diabetes Care are committed to bringing connected diabetes management products to the market that improve the lives of people with diabetes,” said Jeff Reynolds, Technical Program Director, Product Engineering, Ascensia Diabetes Care. “As a trusted partner in the diabetes community, we view our participation in DTSec as an excellent way to improve our security awareness and we plan to submit our next generation product for evaluation.”

"Agamatrix is proud to take a leadership position in security for medical devices,” said Wayne Menzie, Director of Commercial and Clinical Development, Agamatrix. “Agamatrix is beginning the process of evaluating our recently FDA cleared Jazz Wireless 2 blood glucose meter under DTSec."

DTSec approved evaluation labs include Brightsight, the world’s largest independent security evaluator for high-criticality electronic products, such as financial transaction and industrial control systems, and Booz Allen Hamilton, which provides management and technology consulting and engineering services to leading Fortune 500 corporations, governments, and not-for-profits across the globe.

"Trustworthiness of medical devices comes with the assurance that the security requirements are clear and the security measures are adequate and correctly implemented, and that security vulnerabilities are removed from approved devices", said Dirk-Jan Out, CEO of Brightsight. "DTSec offers a sound platform for independent security assessments of critical devices by approved security labs in a practical, transparent and cost-efficient manner."

According to Andy Castonguay, Principal Analyst at Machina Research, “DTSec pulls together an impressive set of constituents with a core focus on protecting a broad set of devices crucial to monitoring and treating diabetes with a comprehensive evaluation framework.”

Availability

The Standard for Wireless Diabetes Device Security (version 1.0) and the Protection Profile for Connected Diabetes Devices (version 1.0) are available for download online at https://www.diabetestechnology.org/dtsec.shtml

About the Diabetes Technology Society

Diabetes Technology Society (DTS) is a nonprofit organization committed to promoting development and use of technology in the fight against diabetes. The DTS mission is to spearhead collaborative efforts by experts in academia, clinical practice, industry, and government to accelerate development of practical technology for treating, monitoring, diagnosing, and preventing diabetes mellitus and its complications.

For more information visit https://www.diabetestechnology.org

Brett McGreevy
Administrator
Diabetes Technology Society
845 Malcolm Road, Suite 5
Burlingame, CA 94010
(650) 692-7100
mcgreevy@diabetestechnology.org

DTSecCertified Devices

Device Certification
CONTOUR©NEXT ONE
(Manufacturer: Ascensia Diabetes Care)
CONTOUR©PLUS ONE
(Manufacturer: Ascensia Diabetes Care)

DTSecApproved Testing Labs

Booz Allen Hamilton
Cyber Assurance Testing Lab (CATL)
Primary Contact: Eric Winterton
Email: catl@bah.com
BrightSight
Primary Contact: Ernst Bovelander
Email: bovelander@brightsight.com
Underwriters Laboratories Logo Underwriters Laboratories (UL)
Primary Contact Name: Anura S. Fernando
E-mail: Anura.S.Fernando@ul.com
For inquiries regarding how to become an approved DTSec lab, please contact info@diabetestechnology.org.

Diabetes Technology Society (DTS) has launched DTSec (DTS Cybersecurity Standard for Connected Diabetes Devices project). Devices for diabetes are increasingly able to communicate wirelessly with smartphones, the cloud and with each other. Unfortunately, many wireless devices are currently at risk of cyber attacks, which can lead to breaches of data confidentiality, integrity, and availability. The news media have recently contained stories of cyber-attacks resulting in loss of precious data or execution of inappropriate commands. DTS wants patients who use wireless devices for their care to be safe from hacking. A benchmark tool (known as a standard) will be developed that contains a set of cybersecurity performance requirements and assurance requirements. The standard will be intended for industry, clinicians, patients, payers, or regulators to assess whether there is adequate cybersecurity in any new or marketed wireless diabetes device. Presidential Executive Order 13636 is intended to increase the level of core capabilities for the US critical infrastructure in 16 critical sectors, including healthcare/public health. This order mandates NIST to work with the private sector to identify existing voluntary consensus standards and industry best practices and then build them into a Cybersecurity Framework. Our standard will contribute to this effort.

DTS has already had multiple meetings with various stakeholders to prepare this project. Our goal is to develop a consensus standard that will contain security and assessment requirements for such wireless products as BG Monitor systems, continuous glucose monitors, wireless insulin pumps, and closed loop systems. To develop the standard we have organized a steering committee comprised of a wide spectrum of stakeholders who manufacture, regulate, analyze, prescribe, and use diabetes devices, with an emphasis on experts in diabetes wireless device cybersecurity. From the government sector our steering committee will have representation from FDA, DHS, NIH, NASA, and USAF. Other steering committee members will come from academia (medicine, engineering, mathematics, and law), professional organizations, industry, and the patient community.

DTS believes that future medical device standards for products not intended for diabetes might also derive from our work. This is because many principles of sound cybersecurity for diabetes monitoring and treatment devices will also apply to monitoring and treatment devices intended for other diseases. This project is being launched at a critical time in our nations’ history when there is a great need for cybersecurity to protect patients with diabetes who use wireless devices. This is the right project with the right participants for the right purpose. We expect to successfully create a needed standard that will be useful for all stakeholders in the field of diabetes connected devices.

Meeting Photo
July 21, 2015 DTSec Meeting
Herndon, VA
Meeting Photo
October 21, 2015 DTSec Meeting
Herndon, VA