Tackling cybersecurity in medical devices can be intimidating, leaving manufacturers overwhelmed and wondering where to start.
The security of medical devices is an issue that has the industry’s attention. On October 1, I had the pleasure of taking part in a panel discussion at an educational event staged by the Massachusetts Medical Device Industry Council (MassMEDIC) titled, “Preventing the Unthinkable: Issues in MedTech Cyber Security—Trends and Policies.” I’d like to share some of the key takeaways from the event.
The notion of tackling cybersecurity in medical devices can be intimidating, leaving manufacturers overwhelmed and asking where they should start. Before developing plans on where you’re going, it’s important to figure out where you stand. Performing vulnerability assessments on devices that are currently out in the wild is a great way to figure out where you’re at, and the results will enable you to identify what steps could be taken to raise the security posture of the device.
Utilize industry best practices such as the SANS and CWE top 25 as well as OWASP top 10 for common weaknesses that are found in application security. These lists are wonderful collations of easily digestible steps that can be taken to improve the security of a device or software application.
FDA has been transparent about its desire to make security easy for manufacturers to address. Where that affects postmarket devices is the ability to deploy software updates that address security issues without refiling a PMA or 510(k). Exceptions do apply, and manufacturers need to consider if the update is large enough to warrant a fundamental change in functionality or features, but if best judgements determine its low impact to functionality and behavior, then the update can be released.
Once a plan has been developed for addressing the postmarket device findings, it’s likely that not all of the vulnerability assessment findings can be mitigated. It’s always a risk management game, deciding what’s feasible and worth fixing and what isn’t. However, the actions don’t stop with the postmarket devices; you should take it even further by leveraging the vulnerability assessment results to drive security requirements for future devices. It’s not uncommon for new devices to build off of code developed on previous devices, so seize the opportunity to use what you’ve learned to build in security from the beginning.
Another area of consideration is the adoption of a corporate responsible disclosure policy, which publically describes how external parties may contact you to report potential security vulnerabilities in a system. A policy demonstrates to the security community that you are interested in collaborating and making vulnerability disclosure a positive experience for both parties. Internally, the policy serves as a process for handling received vulnerability reports and identifying stakeholders and decision makers in handling incoming reports.
The security research community, in addition to the academic community, has begun focusing its attention on medical devices. Without a clear method of reporting to a manufacturer, reporters may find alternative ways to make their findings known. A responsible disclosure policy allows the manufacturer to leverage the skilled security research community, which wants to be your ally in furthering patient safety with medical devices.
Stephanie Preston is cyber embedded systems engineer at Battelle.
|Learn about patient privacy and data security in the clound communication age at BIOMEDevice San Jose, December 2-3, 2-15.|
[image courtesy of DAVID CASTILLO DOMINICI/FREEDIGITALPHOTOS.NET]