MD+DI Online is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Getting Started on Medical Device Cybersecurity

Article-Getting Started on Medical Device Cybersecurity

Getting Started on Medical Device Cybersecurity
Tackling cybersecurity in medical devices can be intimidating, leaving manufacturers overwhelmed and wondering where to start.

Tackling cybersecurity in medical devices can be intimidating, leaving manufacturers overwhelmed and wondering where to start.

Stephanie Preston

The security of medical devices is an issue that has the industry’s attention. On October 1, I had the pleasure of taking part in a panel discussion at an educational event staged by the Massachusetts Medical Device Industry Council (MassMEDIC) titled, “Preventing the Unthinkable: Issues in MedTech Cyber Security—Trends and Policies.” I’d like to share some of the key takeaways from the event.

The notion of tackling cybersecurity in medical devices can be intimidating, leaving manufacturers overwhelmed and asking where they should start. Before developing plans on where you’re going, it’s important to figure out where you stand. Performing vulnerability assessments on devices that are currently out in the wild is a great way to figure out where you’re at, and the results will enable you to identify what steps could be taken to raise the security posture of the device.

Utilize industry best practices such as the SANS and CWE top 25 as well as OWASP top 10 for common weaknesses that are found in application security. These lists are wonderful collations of easily digestible steps that can be taken to improve the security of a device or software application.

FDA has been transparent about its desire to make security easy for manufacturers to address. Where that affects postmarket devices is the ability to deploy software updates that address security issues without refiling a PMA or 510(k). Exceptions do apply, and manufacturers need to consider if the update is large enough to warrant a fundamental change in functionality or features, but if best judgements determine its low impact to functionality and behavior, then the update can be released.

Once a plan has been developed for addressing the postmarket device findings, it’s likely that not all of the vulnerability assessment findings can be mitigated. It’s always a risk management game, deciding what’s feasible and worth fixing and what isn’t. However, the actions don’t stop with the postmarket devices; you should take it even further by leveraging the vulnerability assessment results to drive security requirements for future devices. It’s not uncommon for new devices to build off of code developed on previous devices, so seize the opportunity to use what you’ve learned to build in security from the beginning.

Another area of consideration is the adoption of a corporate responsible disclosure policy, which publically describes how external parties may contact you to report potential security vulnerabilities in a system. A policy demonstrates to the security community that you are interested in collaborating and making vulnerability disclosure a positive experience for both parties. Internally, the policy serves as a process for handling received vulnerability reports and identifying stakeholders and decision makers in handling incoming reports.

The security research community, in addition to the academic community, has begun focusing its attention on medical devices. Without a clear method of reporting to a manufacturer, reporters may find alternative ways to make their findings known. A responsible disclosure policy allows the manufacturer to leverage the skilled security research community, which wants to be your ally in furthering patient safety with medical devices.

Stephanie Preston is cyber embedded systems engineer at Battelle.

Learn about patient privacy and data security in the clound communication age at BIOMEDevice San Jose, December 2-3, 2-15.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.