This week, two researchers published developer guidance meant to reduce the risk of malicious attacks on medical devices.
Released Monday, the 23-page paper (PDF), called “Building Code for Medical Device Software Security,” was written by researcher Tom Haigh of Adventium Labs and Carl Landwehr, lead research scientist at George Washington University's Cyber Security Policy and Research Institute.
In November 2014, Haigh and Landwehr led a workshop in New Orleans consisting of 40 volunteers with expertise in a number of areas, including cybersecurity, medical device standards, regulation and development. Support for the two-day workshop was sponsored by the IEEE Cybersecurity Initiative and the National Science Foundation, and Haigh and Landwehr organized participants' central points into guidance.
“This draft should be considered a starting point for a more complete code,” the co-authors wrote in the report. “While some elements of the draft code presented here address the design and test phases, there is a clear need for further effort to expand those aspects of the code.” Later in the paper, the pair explained that the goal of the “code” was “not to assure that future medical devices can resist every imaginable attack, but rather to establish a consensus among experts in medical devices, cybersecurity and computer science on a reasonable model code for the industry to apply.”
The elements of the code were organized into 10 categories, including elements intended to avoid, detect or remove specific types of vulnerabilities at the implementation stage, elements for enabling detection and attribution of attack, elements for assuring proper use of cryptography, and also steps that would assist in restoration of medical device function, should an attack occur, the guidance said.
In order to avoid, detect or remove implementation stage flaws, for instance, the authors recommended use of memory-safe languages and secure coding standards. To enable detection and attribution of attack, Haigh and Landwehr suggested that developers use security event logging.
Safe degradation of function during an attack, restoring device function after attack, and elements supporting privacy requirements were all listed in the paper as a “design consideration” for developers.
Back in October, the Food and Drug Administration (FDA) finalized its own set of guidelines for medical device security to help manufacturers manage security risks and better protect patient health data. Considerations included limiting access to devices through authentication, using appropriate authentication such as multi-factor authentication, requiring user authentication or other controls for updating software and firmware, and avoiding “hardcoded” passwords or common words and limiting public access to passwords used for privileged device access, according to the guidelines.
The newly released guidance for medical device software, comes a week after the FDA joined a public safety call warning device operators that widely used infusion pumps were vulnerable to remotely exploitable bugs.
FDA said that the product in question, the Hospira LifeCare PCA Infusion System, could fall prey to an unauthorized user with malicious intent accessing the pump remotely to modify the dosage it delivers,” which could lead to over- or under-infusion of critical therapies,” the agency's alert said. An updated version of the LifeCare product, Version 7.0, has been developed by Hospira to address reported security issues, but it is currently under review by the FDA.