Marie Thibault

Over the last few years, cybersecurity has become a major topic in healthcare. While medical device companies have been warned repeatedly about the vulnerability of their products, there have been few concrete, detailed recommendations for addressing the concern.

Now, the Institute of Electrical and Electronics Engineers (IEEE) has published cybersecurity guidelines for medical device makers. The report, "Building Code for Medical Device Software Security," includes ten elements that should be considered when developing medical device software, listed below:

The report, which was based on input from 40 volunteers, uses the metaphor of a "building code" for creating a device software system. The authors wrote, "The elements presented here aim to start builders of software for medical devices down the road toward a building code for software security that will reduce the vulnerability of their systems to malicious attacks, just as codes for physical buildings help their designers and builders create structures that resist threats from fire, wind, water and, in some cases, malicious attacks."

IEEE's report is particularly timely, since this month, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory on vulnerabilities in Hospira's LifeCare PCA Infusion System. According to that advisory, researcher Billy Rios found that the infusion system (Version 5.0 and earlier versions) has an "improper authorization vulnerability and an insufficient verification of data authenticity vulnerability."  

Report recommendations include using memory-safe programming languages, following secure coding standards, generating secure random numbers, keeping a whitelist of safe software applications that can only be updated by authorized administrators, and logging security-linked events.

"This is just a starting point that developers can use to rule out the most commonly exploited classes of software vulnerabilities during the implementation phase. There is more work to do, so we encourage the industry to participate in our effort to create a foundation for a more complete code for the medical device industry to apply," Carl Landwehr, one of the report authors, IEEE fellow and research scientist, Cyber Security Policy and Research Institute at George Washington University, said in a press release announcing the report. 

The volunteers didn't stop with this list of suggested elements. They also came up with a wish list of future elements that might be useful for increasing device cybersecurity, but require more research or evidence of efficacy first. Included on this list are elements like "Risky module identification," "Protection of critical state data," and a "Trusted computing base."  

Marie Thibault is the associate editor at MD+DI. Reach her at [email protected] and on Twitter @medtechmarie. 

[Image courtesy of STUART MILES/FREEDIGITALPHOTOS.NET]