medical device security

There are some interesting influences on medical devices related to cyber security (yeah, I know, cyber. Common parlance is common parlance.) that you may or may not be aware of. I am not saying that medical devices are special snowflakes and nobody else knows our pain, but there are some things that are worth mentioning when we talk about cyber security in the context of medical devices.

Today we will explore the co-dependent trilogy of patient safety, validate state, and cyber security.

Patient Safety

Let's start with patient safety. Patient safety is paramount when we are talking about making changes to medical devices. This is especially true for devices that can kill or seriously harm you like infusion pumps and x-ray machines. It is less so for things like ultrasound machines and blood pressure cuffs. However, this is always the first question that must be asked when we start to make a change for security purposes. Will this increase, decrease, or be net neutral from a patient safety perspective.

Note: There is an underlying concern about usability that sneaks in to patient safely. It relates to making sure the device can be used in a situation where time lost using the device can equate to harm to the patient, i.e. can't get an x-ray quickly enough because of poorly designed security controls which means the surgeon doesn't know exactly what to do and the patient dies.

Validated State

Validated state. What the heck is that? I had no idea before coming to work for my current employer. The validation process performed on a medical device is when the manufacturer implements procedures to ensure that the product

"meet[s] specific requirements for identity, strength, quality, and purity. In order to comply with cGMP, companies are required to record, track, manage, store and easily access various production documents and their detailed change history including Standard Operating Procedures (SOPs), Master Production Batch Record (MPBR), Production Batch Record (PBR), Equipment log books etc."

That quote is taken from this page. If you really want to punish yourself, you can read the actual FDA guidance on this here. What does that mean in regards to real life and cyber security changes? It means that for every change to a medical device, the manufacturer MAY be required to perform a complete validation cycle. These validation cycles are expensive and time consuming.

Luckily, recent pre and post-market guidance from the FDA have clarified some things directly related to security updates that allow for a less strenuous validation process and there has always existed the possibility for a less intrusive process to be performed referred to as verification.

Cyber Security

This brings us to cyber security. Cyber security engineering for medical devices, as in all development, is best done early and often in the development process. This ensures that patient safety concerns are constantly addressed and the device's security stance is inherently included during any validation efforts. That takes care of development. Simple, huh? Of course, as the saying goes, "Simple doesn't mean easy."

What about security patching? If it can be demonstrated that the installation and/or configuration change being made does not affect the intended use of the device, a full validation cycle may not be needed. However, if it does, then validation must be done. This is a contributor to why you will see what appears to be rather long patch release schedules for some medical devices.

This is my no means a full treatment of these topics, but I thought it was worth a few words.

Questions? Comments?


{ 1 comment }

The last time I posted on this blog was March 13th, 2013 immediately following my last public speaking engagement at an information security conference. Who was to know that a year later I would be done with enterprise security and working in a totally new vertical? Certainly not me.

In May of 2015 I started working as a product security consultant for a major medical device manufacturer assisting a variety of medical device engineering teams. My scope and focus moved from the abstract 50,000 foot view of enterprise security architecture to deeply technical, in the weeds work with  those engineering teams developing design inputs to move medical devices security forward.

To say that it has been a massive learning experience is an understatement. However, it has also been extremely rewarding. I work in a space where we are making changes that have real positive impact on the safety of human beings and the protection of the information they share with their healthcare providers.

I perhaps have a blind spot, but the mass of communication I see online seems focused rather stridently on how bad things are and how medical devices are the next blah blah blah we're all gonna die blargle blargle blargle.

Are there bad things happening?

Of course.

Are medical devices a bit (lot) behind the times when it comes to their security posture?


However, there are some of us out there making changes and trying to move the needle. To that end, I'll be offering some thoughts here and there about what I see happening and what kind of changes are occurring.

I hope you find it interesting.

To that end, I am always happy to focus my attention in places where people have questions, so leave a comment mentioning things you are curious about related to medical device security and I'll do my best to speak to them.

Until next time, hopefully not three years from now, later.

{ 1 comment }