Is your medical device secure? I learned a lot about the latest trends in cybersecurity and how to protect medical devices and hospitals at a conference this week hosted in San Francisco and featuring presentations by cybersecurity experts from the medical device industry, from hospital systems, and from vendors of security tools. Medical device cybersecurity is a rapidly evolving field but there are a few key principles that remain constant and which anyone developing connected medical devices should know.
First is the concept of “security by design,” addressing security at every stage of product development (“baked in” instead of “bolted on” after development). For medical device companies this means fully integrating cybersecurity into all aspects of product development, from early architecture to detailed design choices to V&V testing.
The second principle is “security in use” which refers to all the activities to ensure a product remains secure after launch. This involves systematic monitoring of products in the field and establishing company procedures to react rapidly to security incidents.
So how can a product development team anticipate cybersecurity threats that will arise in the future? They can’t—no matter how carefully you’ve designed security measures into a new medical device at the time of product launch, at some point in the future the product is likely to develop a security vulnerability Therefore, managing cybersecurity throughout the life cycle of a medical device means having a well defined software patch management process for updating products in the field. Patch management needs to cover both patches of your own product software as well as patches of the OS or other 3 rd party software included in your product. The product should be designed for securely accepting software patches in an environment of evolving threats. For example, designing in two separate methods in the product for software updates so that if one method becomes a vulnerability in the future, you can still use the other method to maintain the product.
Another key lesson I learned from this conference was the importance of protecting against threats from all directions in a modern healthcare system, which requires a multi-disciplinary approach to security. David Snyder of 42tek.com lead an expert panel on this subject titled “Cybersecurity for Medical Devices is a Team Sport”. Security managers from multiple healthcare organizations described the day-to-day challenges of maintaining hospital operations and responding to attacks. Crucial in all this is close coordination between the manufacturer and the healthcare organization to ensure system-wide security and to rapidly address security breaches and restore devices to a safe state.
Want to learn more about medical device cybersecurity?
Here are some useful links for medical device cybersecurity:
FDA Cybersecurity Guidances
https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm
https://www.fda.gov/downloads/medicaldevice/deviceregulationandguidance/guidancedocuments/ucm482022.pdf
Product Security Framework and security templates generously provided on the BD company website:
http://www.bd.com/en-us/support/product-security-and-privacy
NIST Cybersecurity Home Page with “Cybersecurity Framework”
https://www.nist.gov/topics/cybersecurity
NIST Guide to Industrial Control Systems Security (247 pp):
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
Medical Device Vulnerability Intelligence Program for Evaluation and Response (MDISS)
https://mdviper.org/
I would add that cybersecurity is part of risk management, just as foreseeable misuse is, thus identifying cybersecurity risks should be part of the risk management file. FDA guidance (search for FDA GUD1825) states that “A security risk management report is a comprehensive approach that considers both security and safety risk analysis in a meaningful way.” Risk analysis in this context means risk management, not just the single step of risk analysis.
Part of identifying hazardous situations related to cybersecurity is threat modeling. Two good, open-source references for this are:
1. Open Web Application Security Project. Category: Threat Modeling. Available at:
http://www.owasp.org/index.php/Category:Threat_Modeling. Accessed Aug. 8, 2017.
2. Open Web Application Security Project. Application Threat Modeling. Available at:
http://www.owasp.org/index.php/Application_Threat_Modeling. Accessed Aug. 8, 2017
Aaron, thanks for sharing your notes. This topic is only going to grow and grow.