This week, two researchers published developer guidance meant to reduce the risk of malicious attacks on medical devices.
Released Monday, the 23-page paper (PDF), called “Building Code for Medical Device Software Security,” was written by researcher Tom Haigh of Adventium Labs and Carl Landwehr, lead research scientist at George Washington University's Cyber Security Policy and Research Institute.
In November 2014, Haigh and Landwehr led a workshop in New Orleans consisting of 40 volunteers with expertise in a number of areas, including cybersecurity, medical device standards, regulation and development. Support for the two-day workshop was sponsored by the IEEE Cybersecurity Initiative and the National Science Foundation, and Haigh and Landwehr organized participants' central points into guidance.
“This draft should be considered a starting point for a more complete code,” the co-authors wrote in the report. “While some elements of the draft code presented here address the design and test phases, there is a clear need for further effort to expand those aspects of the code.” Later in the paper, the pair explained that the goal of the “code” was “not to assure that future medical devices can resist every imaginable attack, but rather to establish a consensus among experts in medical devices, cybersecurity and computer science on a reasonable model code for the industry to apply.”
The elements of the code were organized into 10 categories, including elements intended to avoid, detect or remove specific types of vulnerabilities at the implementation stage, elements for enabling detection and attribution of attack, elements for assuring proper use of cryptography, and also steps that would assist in restoration of medical device function, should an attack occur, the guidance said.
In order to avoid, detect or remove implementation stage flaws, for instance, the authors recommended use of memory-safe languages and secure coding standards. To enable detection and attribution of attack, Haigh and Landwehr suggested that developers use security event logging.
Safe degradation of function during an attack, restoring device function after attack, and elements supporting privacy requirements were all listed in the paper as a “design consideration” for developers.