The Internet of Things is all around us. But it doesn’t stop there—now it’s inside us too. As the era of “connected everything” explodes, so does the use of network-connected medical devices. These interconnected devices, ranging from hospital imaging equipment to implantable pacemakers to infusion pumps, help healthcare providers and patients in a variety of tasks—monitoring vitals, regulating dosages, improving diagnostics, and more. But the convenience of this functionality comes with a trade-off: vulnerability. If attackers gain access to a connected medical device, the potential consequences include severe injury and even death. Consider this:
It’s never good news to find out that both your personal and clinical information could be compromised by the software platform your healthcare provider is using.
What makes medical devices hackable? The same thing that makes websites hackable: software vulnerabilities. But the consequences are far worse than stolen data.
The recent announcement by the Federal Food and Drug Administration (FDA) that it has adopted the ANSI (American National Standards Institute)-approved UL 2900-2-1 as a “consensus standard” for premarket certification of medical devices means the world is about to change—for the better. Especially for patients.
What does cyber security mean for connected medical devices? Recently, the U.S. Food and Drug Administration (FDA) officially announced that it formally recognizes UL 2900-2-1. The announcement follows up the FDA’s acceptance last year of UL 2900-1, the first publication in the UL 2900 series of standards for cyber security. UL 2900-2-1 is the first FDA guidance that sets specific criteria for cyber security testing of network-connected medical devices and supports existing risk-based methodologies. What is the impact of the FDA’s adoption of UL 2900-2-1? While the FDA cannot mandate the use of a standard, their guidance has powerful implications for premarket certification (510k). Going forward, vendors seeking to submit a 510(k) should have artifacts that highlight their cyber security testing. Many organizations already perform some level of cyber security testing, but the adoption of UL 2900-2-1 will level and hopefully raise the bar for security testing. Indeed, some products may not be capable of achieving certification. How long will it take before we see a shift in connected medical devices? Industrywide use of UL 2900-2-1 will not happen overnight. It will take time for organizations to review and implement changes for current and future products. For many connected devices already in use, there aren’t any effective means to update them if a vulnerability is disclosed. The shift toward more secure connected medical devices may be slow, but FDA adoption of UL 2900-2-1 is a critical step. What’s in the UL 2900-2-1 standard? UL 2900-2-1 specifies requirements for network-connected medical devices but does not specify which testing methods to use. UL 2900-1 contains the core set of testing criteria needed to achieve CAP certification (see below). Devices with patient safety impact may need to meet or exceed the testing parameters outlined in UL 2900-1. The manufacturer must define the criteria after considering both the standard and the product’s risk factors.
The cyber security of connected medical devices, notoriously poor for decades, could finally start to improve.
Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup. Watch the episode below:
Black Duck by Synopsys announces OpsSight 2.0. Abbott strengthens pacemaker software against vulnerabilities. A year after disclosure, the Struts vulnerability is still a danger to thousands of companies. And the new Synopsys Security Mashup video is up.
Posted in Agile, CI/CD & DevOps, Container Security, Medical Device Security, Static Analysis (SAST) | Comments Off on OpsSight Container Security 2.0, Integrating SAST into DevSecOps, building hacker-proof voting
FUD—fear, uncertainty, and doubt—is usually met with relentless mockery in the cyber security world, since it’s sometimes used to try to frighten people into buying a product.
Wednesday, RSA 2018: On any given day, there are more than 150 sessions to choose from here. Good luck getting to even 5% of those. The good news is that attendees can get access to most of the sessions they missed after the fact, since the slide presentations are posted and videos are made of just about every one. So you can keep “attending” for months to come. But from a small slice of it in real time: It didn’t get nearly as much buzz as the keynote from Monica Lewinsky of Bill-Clinton-and-blue-dress fame, but the message was still powerful: Behavioral analytics is changing the world of security.