Product Security starts early in the development cycle with the selection of appropriate hardware and software components. Many of today’s advanced medical devices require layers of both hardware and software components to achieve a robust security model. Some of these layers may include:

  • Device Layer
  • Application Layer
  • Network Layer
  • Physical Layer
  • Human Interface Layer

Device Layer

At the device layer HW/SW components need to be specified with a balance between features and cost per unit by embedded engineers. Typically, hardware components such as Micro Controllers, Wireless Modules, or other processing units that run firmware and have embedded security features such as Hardware Crypto Engines, Data Protection elements such as AES/DES/3DES, Key stores, or code signing capabilities cost a bit more than simpler solutions. Selecting these components and features early in the development cycle requires careful consideration using a risk-based approach within the context of the device’s overall intended clinical use and essential performance. Once these components are integrated into products it becomes very costly to reverse-engineer or re-design if security flaws are later discovered in the product’s life cycle. Remediation here usually takes the form of product re-design, software patching, or accelerated product obsolescence in extreme cases.

Some other features that may warrant implementation consideration at the device level include:

  • Secure Boot
  • Copy/Clone Protection
  • Hardware Root of Trust

It’s amazing how so many companies today develop medical products and don’t design or implement some of these basic features to protect Intellectual Property. Enterprises spend millions yearly on IT security products and services protecting their company’s perimeter against intruders and preventing breaches from within, all the while critical company assets located within the medical products themselves are wide open for exploitation in the field and throughout the global supply chain.

Part of the issue here is accountability and responsibility within organizations for Product Security. This is something new for many device manufacturers. Assigning a responsible person is a good first step.

Application Layer

The application layer is where the software code is initially developed and where most of the data processing occurs within a software-driven medical device. These applications are broad and can range from simple firmware modules to complete software platforms implemented in the cloud. Two key asset for protection include the software itself and the medical device data it may create, modify, store, archive, or transmit. Key provisions for protecting data at rest and in transit should be considered. Applicable regulations that cover Privacy and Security are required for compliance at the application layer. In the United States these regulations may include HIPAA and other Federal, State, and Local laws and regulations. If the Medical Devices are marketed and sold to US Government agencies, then additional security controls may be required such as compliance to Federal Information Processing Standards (FIPS).

Additionally, many software engineers in the medical device industry are new to secure programming practices. Here education and training will go a long way to ensuring that code developed and implemented is as secure as possible. For a good reference on this see ISO/IEC TR 24772 2013 titled Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use. Code reviews should be used to promote compliance to such practices.

Your company’s Software Development Life Cycle (SDLC) procedures should include requirements for implementing Product Security. Some of the key product security activities in the SDLC include:

  • Security Management Plan as part of the Software Development Plan (IEC62304)
  • Product Security Requirements
  • Security Architecture design (including threat modeling)
  • Security Risk Analysis
  • Secure Coding
  • Code Reviews
  • Security Verification & Validation
  • Software Maintenance Procedures (Patches, Updates, Incident/Vulnerability Handling)

Network Layer

The network layer is where connectivity and a greater level of access to medical devices and their data is enabled. This connectivity can be local, distributed, remote, or open to the internet depending on the intended use of the device. Devices with this greater level of connectivity and interoperability are considered part of the ‘Internet of Medical Things” and require additional security controls in their protection profiles. Medical Device manufacturers are increasingly looking for ways to earn a larger portion of revenue from their customer base in this competitive healthcare landscape. One way to do this is to layer additional value-added services with the device itself. This may come in the form of added device interoperability with healthcare institutions, payers, providers, and other care networks. Cloud integration is of particular interest since direct patient engagement with care professionals can be performed. This trend towards greater device connectivity and interoperability also adds significant risks in managing the device, its data, and end-users from a security perspective. Today remote patient monitoring represents a large swath of opportunity within the connected device landscape.

One of the most important challenges for securing our Medical Devices beyond product development lies with the Technical Support or Field Engineering staff that are responsible for the installation and maintenance of such systems. If these systems are not configured, installed, or maintained correctly with the collaboration of the user facility, then security gaps can be introduced into the product life cycle. Maintenance activities such as security patching and monitoring can help ensure the product remains secure throughout the device’s useful life. This is obviously a shared responsibility between device manufacturers, user facilities, and many others who participate within the device and healthcare community. This is one of the reasons keeping our devices safe is so difficult.

Physical Layer

The Physical layer typically involves some level of access or proximity to the physical devices themselves in their intended use environments. Here security can be implemented in many different ways such as surveillance systems, physical access controls, identity management, secure enclosures, tamper resistance designs, and tamper evident packaging.

Human Layer

Last but not least is the Human interface layer where access controls are typically implemented via passwords, PINS, Keys, biometrics, or other forms of authentication/authorization management.

Next week we will focus on performing effective Cyber Risk Assessments and linking them to product safety. Stay tuned for more…