ACKNOWLEDGMENTS

There is an old expression that says when you find a turtle sitting atop a fence post, you can be sure of one thing: the turtle did not get there by himself. That expression has described the positive things that have happened in my life. This book is no different. Although there is one name on the cover, many others have provided direct and indirect material that you will find within. While I cannot mention everyone, there are a few I really have to acknowledge specifically.

Over the past 20 years, numerous people have worked in the medical device security arena, specifically, and healthcare information privacy and security, generally. Most were voices in the wilderness. I know because I commiserated over too many adult beverages with leaders who were the first to identify and describe the requirements to secure medical devices and protect patients. Medical device manufactures were not quick to engineer security controls into their devices. In fairness, purchasers were not asking for security controls, and changes to medical devices after final designs and approvals from the US Food and Drug Administration (FDA) are obtained are infeasible. That was 20 years ago, but we are still having many of the same conversations. The good news is that many more people are having these conversations, the FDA has taken a prominent position on the issues, the US government has identified healthcare information networks as part of the nation’s critical infrastructure, and patient safety is connected to medical device security. More purchasers want to ensure that the devices meet security standards.

Having said all that, this book is not possible without the mentorship and example set by Mike Nielsen, a fellow Air Force Medical Service Corps (MSC) retiree. Mike’s awareness and passion for medical device security goes back before “it was a thing.” Mike was at the forefront of the Department of Defense joint-medical services (Army, Navy, and Air Force) working with the FDA and medical device manufacturers, particularly in the picture archiving and communication system (PACS) and teleradiology world before just about anyone. Anyone. He was advocating for integrating the old Rainbow Series standards into medical devices to test and evaluate them under the FDA’s Purple Book: Lists of Licensed Biological Products, and then the US Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) for certification and accreditation. (It makes me feel old to find reference material for the Rainbow Series archived at a web site called “The Wayback Machine.” But that is evidence of just how long we have been on notice about security vulnerabilities with Internet-connected medical devices.) Mike’s voice can be heard throughout this book, especially in the areas of medical device security and clinical engineering as security professionals.

I can’t continue without mentioning my utmost appreciation for, and undying gratitude to, Wendy Rinaldi—my editing consultant, acquisitions editor, and taskmaster throughout the entire process. Acknowledgment is a tiny portion of the debt I owe her for her patience and tenacity. This book would never have happened if she did not continue to give me chance after chance to get the work done. I also need to thank Lisa Theobald, Emily Walters, Lori Reed-Fourquet, and Janet Walden, who did a tremendous job juggling the various revisions and edits to keep the project moving along. There were a lot of moving parts in this effort, and this team was magnificent in keeping all the plates spinning. I also benefitted from their, in many cases extensive, professional editing suggestions and phraseology. If readers find this book easy to consume, it is only because of Lisa, Emily, Lori, and Janet.

I will always provide the following acknowledgment: Everyone who works in healthcare information security owes a debt of gratitude to Mr. Lynn McNulty, especially if you have or aspire to earn HCISPP. I must acknowledge Lynn’s vision and support, although now posthumously. I will always remember meeting Lynn in a pub and mapping out the need for healthcare-specific information protection measures of workforce competency. Yes, this was on the back of a napkin—and not figuratively, but literally. He believed in the concept that protecting healthcare information required different competencies than other industries. He was the genesis of the HCISPP at (ISC)² along with Hord Tipton. From their leadership, my work emerges. Lynn believed in the ramblings and passion of this healthcare information security professional when very few others thought there was a need for a differentiation between information security domains. He built the bridge between (ISC)² and the concept of credentialing healthcare information security practitioners outside of the normal information security credentialing process, with the goal of beginning to measure workforce competency in healthcare information security and privacy. Without Lynn, this day would never have come. Without him, however, I will continue on in his spirit of building relationships, growing professionalism, and securing sensitive information in healthcare. We all miss you, Lynn.