A Code for Safer Medical Device Software
An industry group gives manufacturers recommendations to keep medical devices safe from hackers.
May 19, 2015
Marie Thibault
Over the last few years, cybersecurity has become a major topic in healthcare. While medical device companies have been warned repeatedly about the vulnerability of their products, there have been few concrete, detailed recommendations for addressing the concern.
Now, the Institute of Electrical and Electronics Engineers (IEEE) has published cybersecurity guidelines for medical device makers. The report, "Building Code for Medical Device Software Security," includes ten elements that should be considered when developing medical device software, listed below:
(A) Elements intended to avoid/detect/remove specific types of vulnerabilities at the implementation stage
(B) Elements intended to assure proper use of cryptography
(C) Elements inteded to assure software/firmware provenance and integrity, but not to remove code flaws
(D) Elements intended to impede attacker analysis or exploitation but not necessarily remove flaws
(E) Elements intended to enable detection/attribution of attack
(F) Elements intended to assist in safe degradation of function during an attack
(G) Elements intended to assist in restoration of function after attack
(H) Elements intended to support maintenance of operational software without loss of integrity
(I) Elements intended to support privacy requirements
(X) Desired characteristics of the building code, for example, standard names use, building code maintenance over time, and scope
The report, which was based on input from 40 volunteers, uses the metaphor of a "building code" for creating a device software system. The authors wrote, "The elements presented here aim to start builders of software for medical devices down the road toward a building code for software security that will reduce the vulnerability of their systems to malicious attacks, just as codes for physical buildings help their designers and builders create structures that resist threats from fire, wind, water and, in some cases, malicious attacks."
IEEE's report is particularly timely, since this month, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory on vulnerabilities in Hospira's LifeCare PCA Infusion System. According to that advisory, researcher Billy Rios found that the infusion system (Version 5.0 and earlier versions) has an "improper authorization vulnerability and an insufficient verification of data authenticity vulnerability."
Report recommendations include using memory-safe programming languages, following secure coding standards, generating secure random numbers, keeping a whitelist of safe software applications that can only be updated by authorized administrators, and logging security-linked events.
"This is just a starting point that developers can use to rule out the most commonly exploited classes of software vulnerabilities during the implementation phase. There is more work to do, so we encourage the industry to participate in our effort to create a foundation for a more complete code for the medical device industry to apply," Carl Landwehr, one of the report authors, IEEE fellow and research scientist, Cyber Security Policy and Research Institute at George Washington University, said in a press release announcing the report.
The volunteers didn't stop with this list of suggested elements. They also came up with a wish list of future elements that might be useful for increasing device cybersecurity, but require more research or evidence of efficacy first. Included on this list are elements like "Risky module identification," "Protection of critical state data," and a "Trusted computing base."
Stay on top of the latest trends in medtech by attending the MD&M East Conference, June 9–11, 2015, in New York City. |
Marie Thibault is the associate editor at MD+DI. Reach her at [email protected] and on Twitter @medtechmarie.
[Image courtesy of STUART MILES/FREEDIGITALPHOTOS.NET]
About the Author
You May Also Like