Medical devices are becoming increasingly connected to the internet, hospital networks, and to other medical devices. Whilst this increased connectivity enables functionality that facilitates improved health care, this same functionality also expands the potential for cybersecurity risks.
In our topical article below, our Head of eHealth Paul Gardner outlines some key considerations regarding cybersecurity for connected medical devices, including advice for design & implementation, testing, and manufacture.
Medical devices, like other computer systems, can be vulnerable to security breaches which can potentially impact their safety and effectiveness. As threats and vulnerabilities cannot be fully eliminated, reducing cybersecurity risk is especially challenging. The health care environment is complex, and so manufacturers, health care providers, and facilities must work together to manage potential cybersecurity risks. Cybersecurity and maintaining data integrity are fundamental parts of any connected medical device development and need to be continuously managed throughout the product’s lifecycle.
What should you consider during Design and Implementation?
Security threats need to be considered early in the development process. Security activities such as architecture review, threat modelling, application security testing, penetration testing, and risk management will help to reveal the potential vulnerabilities within your connected medical device.
Design and risk procedures must account for cybersecurity. The MDR outlines eight practices for managing the cybersecurity of your device:
- Plan and document all of your security-related activities.
- Define your security requirements in a similar way to your software specifications.
- Implement Security by Design. Your design process should incorporate cybersecurity. “Security by Design” means designing products to be foundationally secure. It also involves having multiple layers of defence such that the breach of any single element does not compromise the whole system.
- Implement your cybersecurity design correctly, ensuring that any procedures concerning software releases are followed.
- Define your Verification and Validation testing activities and link them to the risk of your software, before then performing validation testing.
- Consider Security Breach Management by documenting how you will handle any security issues should they arise.
- Address Change Management by defining how you would assess risks and roll out software changes.
- Provide security guidelines in user documentation that explain how to operate the medical device with cybersecurity in mind.
The importance of Threat Modelling
While industry standards and best practices help with developing security requirements, you also need to consider the requirements of the product itself. This can be done with a threat modelling exercise, where you consider:
- Assets: List the assets to be protected and consider the impact of not having asset protection in place
- Threats: Identify threats and their probability
- Vulnerabilities: Identify any weaknesses in the system and account for existing countermeasures, if any
- Risk: Assess the risk based on the consequences of not protecting assets, the likelihood of the threat, and existing safeguards
- Priority: Once the risk is assessed and mitigation is evaluated, prioritise additional mitigations
There are various methods available for threat modelling such as STRIDE and CVSS. For further information on these methods, take a look at the further reading section at the end of this article.
Hardware, Software & Secure coding
One of the key medical device security requirements is software integrity/authenticity and data confidentiality. Implementing these requirements is not possible without hardware support, so the first step when designing a product is to ensure that your chosen processor supports certain security features such as:
- Secure boot (customer programmable keys, key revocation support, easy access to code signing tools and detailed security documentation)
- Secure key storage
- Secure memory
Software supply chain security
In order to reduce the risk of supply chain attacks, any brought-in source code should be designated as Software of Unknown Provenance (SOUP) and vetted accordingly.
Secure coding practices
As well as developing robust device security principles, ensuring the security of your code is an equally critical aspect of device security. Your coding guidelines need to include secure coding practices, and your code reviews should hold software developers accountable for security.
Testing & Manufacture
Security testing should be given careful consideration, and as with any other medical device testing, a plan should be created. Your Security Test Plan should outline your proposed testing methods that aim to support the cybersecurity of your device e.g., Security Testing Tools and Penetration Testing. Lastly, don’t overlook the security of your manufacturing process.
Securing your manufacturing process is the final step in building a thorough defence against cybersecurity threats, so any tools required to securely program devices, or to configure or provision devices need to be controlled.
Further support & guidance
Laws & Regulations
Various laws have recently been passed to improve the cybersecurity of medical devices:
|– 2021 Executive OrderH.R.1668: IoT|
– Cybersecurity Improvement Act
– California SB-327
– Oregon HB 2395 (2019)
|– European Cyber Security Act||– Singapore CLS (Cybersecurity Labelling Scheme)|
– Australia Code of Practice
In the EU, cybersecurity of medical devices is considered part of the General Safety and Performance requirements (GSPR) of the Medical Device Regulation MDR 2017/745. In addition, the General Data Protection Regulation (GDPR) introduces certain data requirements and provides EU-residents with fundamental rights over their data its protection.
In the US, as part of the software validation and risk analysis required by 21 CFR 820.30(g), software device manufacturers need to establish a cybersecurity vulnerability and management approach. In addition, manufacturers and/or other entities, depending on the facts and circumstances, may be obligated to protect the confidentiality, integrity, and availability of patient information throughout the product lifecycle, in accordance with applicable federal and state laws, including the Health Information Portability and Accountability Act 487 (HIPAA).
Industry standards & guidance
In addition to the legislation, the following guidelines on medical device cybersecurity should be considered when developing a connected medical device:
- Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
- Postmarket Management of Cybersecurity in Medical Devices
The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook outlines a framework for health delivery organisations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, to ensure the effectiveness of devices, and to protect patient safety.
And finally, the resources below provide more information on principles for medical device security and secure coding practices:
- TIR57: Principles for medical device security – Risk management
- IMDRF/CYBER WG/N60FINAL:2020: Principles and Practices for Medical Device Cybersecurity
- OWASP Secure Coding Practices-Quick Reference Guide | OWASP Foundation
- Top 10 Secure Coding Practices – CERT Secure Coding – Confluence