This article aims to help small to medium size medical device manufacturers (MDM) who develop and/or manufacturer software driven devices to understand how to best tackle Cybersecurity in today’s complex business environments. After all, most medical device manufacturers in the United States range from 50-250 employees and typically don’t have dedicated Information Technology resources available to tackle Product Security requirements. Speaking of product security requirements, this should be nothing new to Medical Device manufacturers since security requirements have existed for many years as part of FDA requirements for software validation and other longstanding industry standards such as IEC 62304 and IEEE standards for Software Engineering. What is new for MDM’s is a renewed focus on the potential impacts of product security on their customers, end-users, and patients. For years the main focus for MDM has been Safety, Efficacy, and Performance of devices. In today’s complex global environments safety has a new partner called Product Security.

Tackling Product Security begins with evaluating your Software Development Lifecycle processes (SDLC). Layering the correct mix of product security activities into the SDLC is key to kicking off Cybersecurity programs successfully. Examples of key activities to include in your SDLC for Product Security include:

  • Product Security Requirements
  • Security Design Architecture
  • Secure Coding
  • Security Verification and Validation

A good place to start with requirements is the NIST special publications website. This website is used to publish computer/cyber/information security and guidelines, recommendations and reference materials. One of the best references to start with here is NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations.

Along with these recommended reference material, you should carefully consider your product’s intended use and user profiles to develop your own product security requirements. One way to look at this is to ask yourself a series of questions that help you derive an appropriate level of product security. Example questions to review include:

  • What assets in your device may require protection?
  • What technology components are used or planned in the device (e.g. Wireless, Bluetooth, LAN, Remote Access, USB, Cloud, etc.)
  • What data is created, modified, archived, transmitted, or stored in the device either temporarily or permanently?
  • What type of software is used in your device (e.g. Firmware, Applications, Algorithms, Middleware, etc.)
  • How can we protect data confidentiality, availability, and integrity?

Once you have Product Security requirements defined, an appropriate level of detailed design for security can be documented. The purpose of documenting a Security Architecture is to help define your threat and vulnerability model. This model can be used to further identify risks related to product security. These risks can then be assessed and combined with safety risk assessments to provide a complete picture of your device’s total risk profile. Combining Safety and Security in a risk assessment model is covered in our Week 3 Theme. So make sure to come back and review how to perform effective Cyber Risk Assessments.

Secure coding is rather new to MDM’s but in reality it is just an extension to good coding practices. Here is where good training is needed to promote not only secure programming environments but to also focus on good Cyber Hygiene when software is developed. Implementing secure code as part of a review process that is executed into a code repository prior to committing to the trunk is a best practice here.

Once the Product Security requirements are defined, Security Architecture documented, and Threat & Vulnerabilities assessed, and secure code is implemented, activities related to Verification & Validation can be identified. Typical Product Security V&V activities may include but are not limited to:

  • Vulnerability Scanning
  • Penetration Testing
  • Fuzz Testing
  • IFU Reviews

These activities require V&V staff to learn new ways of thinking and testing devices. Performing these activities requires deep knowledge of product usage and potential misuse of the device. It may involve testing device configurations and installations based upon customer usage scenarios, device environments, and interoperability with other devices and assessing the level of threat mitigations afforded by the implementation of specific product security requirements.

Beyond the SDLC, other important elements of an effective Cybersecurity program include:

  • Supply Chain Security
  • Incident & Vulnerability Handling Procedures
  • Security Risk Assessment

For most MDM’s integrating Cybersecurity into their existing Quality Management Systems (QMS) is imperative to implementation success. Below is a list of QMS areas that MDM’s should consider reviewing for Cybersecurity impact:

  • Management Reviews
  • Design Controls
  • Risk Management
  • Adverse Event Handling
  • Complaint Handling
  • Supply Chain Management
  • Software Development
  • Field Corrective Actions
  • CAPA

Next week we will discuss more details regarding Securing Medical Devices in Product Development. Stay tuned for more…