Wayne Stewart, Director, EWA Canada, an Intertek Company01.02.19
IoT security is still in its infancy. Few devices have been designed with cybersecurity in mind. Even fewer have had any independent cybersecurity testing. As a result, many people are afraid of what cybersecurity risks can exist in a device. Others may not give it a thought until something happens—when it’s too late. The healthcare industry is a growing part of the connected world as devices themselves become connected and interact with other connected products. The need to secure a connected medical device is critical to ensure patient safety and protect a patient’s data and personal information.
General Mitigation Measures
For any connected device, securing the ecosystem is critical. A secure ecosystem is built on a base of secure products that have undergone rigorous security evaluation against industry-accepted standards. Secure products alone are not enough. Best practices and industry-specific standards should be used to develop the security minded processes driving the operation of a secure networking and computing infrastructure. A secure ecosystem should be monitored and maintained via regularly scheduled audits and the use of outside teams for tasks such as penetration testing, software evaluations, and hardware assessments. It is also critical to conduct regular security awareness training and ensure employees are regularly trained on security best practices.
Independent testing and security certification of connected devices is important to demonstrate a commitment to the management of information security. It illustrates compliance with business, legal, contractual, and regulatory requirements while clearly identifying who is responsible for information assets and delineating information risk responsibilities. This independent opinion confirms controls are working as intended, offering a competitive advantage. It also outlines roadmaps for security improvement, improved operating processes, and identification of key business assets.
While following the general mitigation methods will assist in assuring the security of the IT ecosystem, there are specific steps and considerations that will help to secure connected medical products.
Connected Medical Devices
When it comes to connected medical devices, there are several problems and challenges to consider. Medical device manufacturers are familiar with risk management and addressing hazards, but connected devices introduce a new form of risk, a cyber risk. Following a simple model of cybersecurity can be a challenge given the deficiencies in many current assessment models. Security assessment of the cloud back-end, while critical, is not a part of many of today’s IoT security standards—standards designed to assess the security of the device, but do not provide end-to-end assurance of cloud-based data and services. Additionally, within the communications infrastructure there is an underlying (and incorrect) assumption that the communications may be assumed to be secure. Simply stated, the typical scope of medical device endpoint security test/evaluation doesn’t address the complex and distributed nature of network-connected products. Security vulnerabilities in communications and back-end servers and services can result in significant cybersecurity concerns and patient hazards.
To address these issues, connected medical devices must be evaluated to the full scope of testing for enhanced assurance, including:
A full scope of testing and evaluations allows a manufacturer to reassure the end user. It also provides peace of mind that a product’s interoperability with other devices and platforms is confirmed, helping ensure an ideal user experience while securing information and maintaining performance. Full-scale testing also ensures communication channels are secure, enforcing the confidentiality and integrity of data transferred between the device and IoT infrastructure. Testing the infrastructure, in turn, provides assurance that end-user sensitive data is adequately protected against unauthorized disclosure, theft of service, or other concerns.
At the end of the day, no two medical devices are the same. It is up to the manufacturer to ensure the end-to-end security of a device, as well as cloud services. Likewise, it is up to the manufacturer to ensure risk is managed, data is protected, and the device itself is not creating a backdoor on an internal network. It is also the responsibility of the manufacturer to ensure new firmware updates can be securely deployed without creating new risks. The best way to do all of this is through regulatory standards, best practices, and independent assessment.
Regulatory Requirements
Recently, the U.S. Food and Drug Administration issued draft guidance that includes a recommendation for a “cybersecurity bill of materials” in all premarket submissions. This “bill” should detail the device’s software and hardware components susceptible to cyberattacks. The goal is for manufacturers to incorporate cybersecurity best practices as they design and develop medical devices and to address threats before entering the market.
The guidance breaks medical devices into two categories: higher security risk (Tier 1) and standard security risk (Tier 2). The two categories are based on the level of potential harm to patients. It encourages the creation of “trustworthy” devices (those reasonably secure from intrusion and misuse), and maintain a reasonable level of availability, reliability, and functionality.
Premarket submission for a Tier 1 device should demonstrate the device has undergone a design and risk assessment that incorporates design controls, including ways to limit access to trusted users, authentication of safety-critical commands, methods to maintain the integrity and confidentiality of data, processes to detect and respond to cybersecurity events, and compliance to all labeling recommendations for devices with cybersecurity risks. Tier 2 devices may simply include an explanation for why the draft guidance’s design controls are not appropriate for the device.
In addition to this premarket guidance, the FDA has recognized ANSI/UL 2900-2-1 for connected medical devices. Adopted in 2017, it applies to network-connectable products and requires they be evaluated and tested for vulnerabilities, software weaknesses, and malware. The standard does not contain any functional requirements for the product. Instead, it imposes three broad sets of requirements upon the vendor:
While it has generated a lot of attention, the standard has not yet been broadly picked up by the industry. This means it is also up to the manufacturer to adopt best practices to ensure the cybersecurity of a connected medical device.
Best Practices
As manufacturers look to develop connected medical devices within a rapidly changing industry, there are some actions that should be taken.
Define all the security requirements for the product. If this hasn’t been done, start to think about what types of threats might exist to the product and vulnerabilities that might reside in the product, thereby creating risks to the product that should be mitigated. Then consider which safeguards (controls) should be implemented.
Bake security into product design. Adding security after the fact almost never works and always costs more. Instead, the design should be built to be intrinsically secure.
Test throughout the development process. If all security testing is loaded at the end of a project and everything works out, you’re likely extremely lucky. However, if it fails and a fundamental design flaw is found, you may have to redesign significant functionality or even start over from scratch. For this reason, whenever possible, test security early and often to ensure you’re not making any fundamental mistakes along the way.
Creating any connected device can be a daunting task in a world where technology continues to evolve at a rapid pace. Securing any connected device is important; securing a device used for medical purposes is critical. By following the guidance issued by the FDA, standards in place for medical and/or connected devices, and industry best practices, manufacturers can take steps to ensure the safety, performance, and security of their devices.
General Mitigation Measures
For any connected device, securing the ecosystem is critical. A secure ecosystem is built on a base of secure products that have undergone rigorous security evaluation against industry-accepted standards. Secure products alone are not enough. Best practices and industry-specific standards should be used to develop the security minded processes driving the operation of a secure networking and computing infrastructure. A secure ecosystem should be monitored and maintained via regularly scheduled audits and the use of outside teams for tasks such as penetration testing, software evaluations, and hardware assessments. It is also critical to conduct regular security awareness training and ensure employees are regularly trained on security best practices.
Independent testing and security certification of connected devices is important to demonstrate a commitment to the management of information security. It illustrates compliance with business, legal, contractual, and regulatory requirements while clearly identifying who is responsible for information assets and delineating information risk responsibilities. This independent opinion confirms controls are working as intended, offering a competitive advantage. It also outlines roadmaps for security improvement, improved operating processes, and identification of key business assets.
While following the general mitigation methods will assist in assuring the security of the IT ecosystem, there are specific steps and considerations that will help to secure connected medical products.
Connected Medical Devices
When it comes to connected medical devices, there are several problems and challenges to consider. Medical device manufacturers are familiar with risk management and addressing hazards, but connected devices introduce a new form of risk, a cyber risk. Following a simple model of cybersecurity can be a challenge given the deficiencies in many current assessment models. Security assessment of the cloud back-end, while critical, is not a part of many of today’s IoT security standards—standards designed to assess the security of the device, but do not provide end-to-end assurance of cloud-based data and services. Additionally, within the communications infrastructure there is an underlying (and incorrect) assumption that the communications may be assumed to be secure. Simply stated, the typical scope of medical device endpoint security test/evaluation doesn’t address the complex and distributed nature of network-connected products. Security vulnerabilities in communications and back-end servers and services can result in significant cybersecurity concerns and patient hazards.
To address these issues, connected medical devices must be evaluated to the full scope of testing for enhanced assurance, including:
- Connectivity: Regulatory and safety compliance testing of cellular (3G, LTE, etc.) and non-cellular (Bluetooth, WiFi, Zigbee, etc.) elements.
- Interoperability: Assurance of end-point interoperability with major operating and application platforms.
- Security: End-to-end security of a device and its supporting back-end infrastructure based on applicable standards such as ANSI/UL 2900-2-1.
A full scope of testing and evaluations allows a manufacturer to reassure the end user. It also provides peace of mind that a product’s interoperability with other devices and platforms is confirmed, helping ensure an ideal user experience while securing information and maintaining performance. Full-scale testing also ensures communication channels are secure, enforcing the confidentiality and integrity of data transferred between the device and IoT infrastructure. Testing the infrastructure, in turn, provides assurance that end-user sensitive data is adequately protected against unauthorized disclosure, theft of service, or other concerns.
At the end of the day, no two medical devices are the same. It is up to the manufacturer to ensure the end-to-end security of a device, as well as cloud services. Likewise, it is up to the manufacturer to ensure risk is managed, data is protected, and the device itself is not creating a backdoor on an internal network. It is also the responsibility of the manufacturer to ensure new firmware updates can be securely deployed without creating new risks. The best way to do all of this is through regulatory standards, best practices, and independent assessment.
Regulatory Requirements
Recently, the U.S. Food and Drug Administration issued draft guidance that includes a recommendation for a “cybersecurity bill of materials” in all premarket submissions. This “bill” should detail the device’s software and hardware components susceptible to cyberattacks. The goal is for manufacturers to incorporate cybersecurity best practices as they design and develop medical devices and to address threats before entering the market.
The guidance breaks medical devices into two categories: higher security risk (Tier 1) and standard security risk (Tier 2). The two categories are based on the level of potential harm to patients. It encourages the creation of “trustworthy” devices (those reasonably secure from intrusion and misuse), and maintain a reasonable level of availability, reliability, and functionality.
Premarket submission for a Tier 1 device should demonstrate the device has undergone a design and risk assessment that incorporates design controls, including ways to limit access to trusted users, authentication of safety-critical commands, methods to maintain the integrity and confidentiality of data, processes to detect and respond to cybersecurity events, and compliance to all labeling recommendations for devices with cybersecurity risks. Tier 2 devices may simply include an explanation for why the draft guidance’s design controls are not appropriate for the device.
In addition to this premarket guidance, the FDA has recognized ANSI/UL 2900-2-1 for connected medical devices. Adopted in 2017, it applies to network-connectable products and requires they be evaluated and tested for vulnerabilities, software weaknesses, and malware. The standard does not contain any functional requirements for the product. Instead, it imposes three broad sets of requirements upon the vendor:
- Documentation of design, security, and management, as well as a risk assessment of security mitigation designed into products.
- Application of risk controls, including access control, user authentication, user authorization, securing remote communication, protection of sensitive data, and product management.
- Elimination of product vulnerabilities through analysis and testing.
While it has generated a lot of attention, the standard has not yet been broadly picked up by the industry. This means it is also up to the manufacturer to adopt best practices to ensure the cybersecurity of a connected medical device.
Best Practices
As manufacturers look to develop connected medical devices within a rapidly changing industry, there are some actions that should be taken.
Define all the security requirements for the product. If this hasn’t been done, start to think about what types of threats might exist to the product and vulnerabilities that might reside in the product, thereby creating risks to the product that should be mitigated. Then consider which safeguards (controls) should be implemented.
Bake security into product design. Adding security after the fact almost never works and always costs more. Instead, the design should be built to be intrinsically secure.
Test throughout the development process. If all security testing is loaded at the end of a project and everything works out, you’re likely extremely lucky. However, if it fails and a fundamental design flaw is found, you may have to redesign significant functionality or even start over from scratch. For this reason, whenever possible, test security early and often to ensure you’re not making any fundamental mistakes along the way.
Creating any connected device can be a daunting task in a world where technology continues to evolve at a rapid pace. Securing any connected device is important; securing a device used for medical purposes is critical. By following the guidance issued by the FDA, standards in place for medical and/or connected devices, and industry best practices, manufacturers can take steps to ensure the safety, performance, and security of their devices.