By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    health benefits of taking a vacation to reduce stress
    Relaxing European Destinations to Reduce Stress Risks to Health
    October 11, 2021
    pain management tips
    Managing Pain Differently: Alternative Pain Management Techniques
    January 12, 2022
    5 Ways to Promote Wellness in Your Home
    April 12, 2022
    Latest News
    How to Combat Home Sickness After Moving Abroad
    March 19, 2023
    4 Ways to Recover from a Broken Hip
    March 14, 2023
    What Are Dietary Supplements: Purpose, Benefits, & Facts
    March 15, 2023
    5 Benefits of Receiving Acupuncture Regularly
    March 9, 2023
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    What the Election Means for Health Care
    November 9, 2012
    How To Attract Patients in a Consumer-Driven Healthcare Market
    February 13, 2016
    jeopardy clue tile
    Jeopardy: “I’ll Take Medical Errors For $100,000, Alex!”
    December 25, 2012
    Latest News
    3 Ways to Improve the U.S. Healthcare System By 2030
    March 14, 2023
    6 Steps To Ensure Speed And Efficiency Of Clinical Studies
    March 14, 2023
    5 Most Valuable Healthcare Programs in 2023
    March 8, 2023
    The Everest Foundation’s Mission to Support Inclusive Healthcare
    February 24, 2023
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: On Shoshin and Software Security
Share
Sign In
Notification Show More
Latest News
mental health tips
Caring for Your Mental Health Should Be a Top Priority
Mental Health
combat home sickness
How to Combat Home Sickness After Moving Abroad
Health News
depression signs
Early Signs of Depression that You Shouldn’t Ignore
Mental Health
positive mental health
How to Build a Positive Mental Health Environment
Mental Health
broken hip recovery
4 Ways to Recover from a Broken Hip
Health
Aa
Health Works CollectiveHealth Works Collective
Aa
Search
Have an existing account? Sign In
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Technology > On Shoshin and Software Security
Technology

On Shoshin and Software Security

Danny Lieberman
Last updated: 2015/09/07 at 1:49 PM
Danny Lieberman
Share
8 Min Read
SHARE

I am an independent software security consultant specializing in medical device security and HIPAA compliance in Israel.  There are over 700 medical device companies in Israel – all doing totally cool and innovative things from My Dario (diabetes management) to Syneron (medical esthetics).

Contents
Medical device security is an adversarial environment very unlike FDA regulatory oversight.Medical device security is about attackers and totally unpredictable behaviorWinning friends and influencing client in the threat analysis

I am an independent software security consultant specializing in medical device security and HIPAA compliance in Israel.  There are over 700 medical device companies in Israel – all doing totally cool and innovative things from My Dario (diabetes management) to Syneron (medical esthetics).

This is a great niche for me because I get to do totally cool projects and  work with a lot of really smart people at Israeli medical device vendors helping them implement cost-effective  security and privacy compliance + it’s fun learning all the time.

One of my insights is that there is very little connection between and FDA medical device risk assessment and a software security risk assessment.   This somewhat counter-intuitive for people who believe in risk management as in banks and insurance companies and law.

More Read

benefits of EHR systems in healthcare

Using EHR systems in healthcare for Cost-Effective Services

Benefits of Emerging Technology in Healthcare in 2023
Healthcare SEO Tips to Grow Your Medical Practice
The Future Of Medicine: How Immunotherapy Is Saving Lives
6 Essential Strategies for Improving Your Medical Practice

Medical device security is an adversarial environment very unlike FDA regulatory oversight.

FDA medical device regulatory oversight is about complying in a reliable way with standard operating procedures and 20 year old software standards.   Software security is about mitigating the unexpected in a reliable way.

FDA believes that conformance with this guidance document, when combined with the general controls of the Act, will provide reasonable assurance of the safety and effectiveness…

FDA recognizes several software consensus standards. A declaration of conformity to these standards, in part or whole, may be used to show the manufacturer has verified and validated pertinent specifications of the design controls. The consensus standards are:

  • ISO/IEC 12207:1995 Information Technology – Software Life Cycle Processes
  • IEEE/EIA 12207.O-1996 Industry Implementation of International Standard ISO/IEC12207:1995 (ISO/IEC 12207) Standard for Information Technology – Software Life Cycle Processes

Medical device security is about attackers and totally unpredictable behavior

Medical device security is about anticipating  the weakest link in a system that can be exploited by an attacker who will do totally unpredictable things that were inconceivable last year by other hackers, let alone 20 years ago by an ISO standards body.

You cannot manage unpredictable behavior (think about a 2 year old) although you can develop the means for anticipating threats and responding quickly and in a focused way even when sleep-deprived and caffeine-enriched.

For a person like me (an independent security consultant with a graduate degree in physics and a high sense of self-worth), there is an overwhelming temptation to show clients how dangerous their security vulnerabilities are and how much you can add value to their product.

Winning friends and influencing client in the threat analysis

This is not however a strategy guaranteed to win friends and influence people (and win repeat business) – i.e. forcing the client to do the “right” things.

Instead of saying – “that is a really bad idea, and you will get hacked and destroy your reputation before your QA and RA departments get back from lunch“, I have realized that it is better to take a more nuanced approach like:

“I see that you are transferring credentials in plain-text to your server in the cloud.   What do you think about the implications of that?“.   Getting the customer to think like an attacker is better than dazzling and intimidating the client which has short-term ROI for your ego and poor probability of improving the clients’ medical device security.

How did I reach this amazing (slow drum roll…) insight?

About 3 years ago I read a book called Search Inside Yourself: The Unexpected Path to Achieving Success, Happiness (and World Peace) and I learned an idea from Zen Buddhism called – “Don’t take action, let action take you“.    I try to apply this approach with clients as a way of helping them learn themselves and as a way of avoiding unnecessary conflict.  The next step in my Zen Buddhist evolution was getting acquainted with another concept from called Shoshin:

Shoshin (初心) means “beginner’s mind”. It refers to having an attitude of openness, eagerness, and lack of preconceptions when studying a subject, even when studying at an advanced level, just as a beginner in that subject would.

For advanced medical device security consultant like me, this means doing the exact OPPOSITE of what you normally do in the course of a security threat assessment:

  1. Let go of the need to add value – you do not have to provide novel security countermeasures in your threat model all the time. Sometimes, doing the basics (like hashing and salting passwords) is all the value the client needs.
  2. Let go of the need to win every argument – you do not have to provide novel security countermeasures in your threat model and show the client why their RA (regulatory assurance) consultant are making fatal mistakes.
  3. Ask the client to tell you more – you can ask what led the client to a particular design decision.  You may learn something about their system design alternatives and engineering constraints. This will help you design novel security countermeasures for their medical device.
  4. Assume you are an idiot –  this is a corollary of not taking action.   By being neutral, and assuming you are an idiot, you disable your ego for a few moments and you get into a position of accepting new information  which may help you design novel security countermeasures for their medical device….

 

Thank you to James Clear for his insightful post – Shoshin: This Zen Concept Will Help You Stop Being a Slave to Old Behaviors and Beliefs and inspiring the application of Shoshin to medical device security threat modeling.

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Danny Lieberman September 7, 2015
Share this Article
Facebook Twitter Copy Link Print
Share
Previous Article Vascular closure devices
Next Article Speaking from the Heart with Patient Empowerment Network

Stay Connected

1.5k Followers Like
4.5k Followers Follow
2.8k Followers Pin
136k Subscribers Subscribe

Latest News

mental health tips
Caring for Your Mental Health Should Be a Top Priority
Mental Health March 19, 2023
combat home sickness
How to Combat Home Sickness After Moving Abroad
Health News March 19, 2023
depression signs
Early Signs of Depression that You Shouldn’t Ignore
Mental Health March 19, 2023
positive mental health
How to Build a Positive Mental Health Environment
Mental Health March 15, 2023

You Might also Like

valueable healthcare programs
News

5 Most Valuable Healthcare Programs in 2023

March 8, 2023
how technology helping nursing patient care
Medicare

7 Ways Technology is Improving Nursing and Patient Care

March 8, 2023
AI in healthcare education
Artificial IntelligenceMedical EducationPolicy & LawTechnology

Colleges Prove the Huge Benefits of AI in Healthcare Education

February 21, 2023
technology for treating OCD
Technology

The Evolution of Mental Health Technology Helps Treat OCD

February 19, 2023
//

We influence million of users and is the most authentic source of information on healthcare business and technology news.

Quick Links

  • About
  • Contact
  • Privacy
Subscribe

Subscribe to our newsletter to get our newest articles instantly!

Follow US

© 2008-2023 HealthWorks Collective. All Rights Reserved.

Removed from reading list

Undo
Welcome Back!

Sign in to your account

Lost your password?