The new consensus standard is meant to address problems like that. UL declared in a white paper from April titled Medical Devices and Cybersecurity that “device developers and manufacturers must do more than meet the minimum regulatory requirements in their efforts to protect confidential patient data and to help ensure the safety of patients.”
“Instead, they need to thoroughly evaluate and address the potential cybersecurity risks associated with their products, not just during the product development stage but also throughout the products’ anticipated use lifetime.”
That is a direct reference to the reality that in some cases, it is difficult or even impossible to patch or update software vulnerabilities in those devices.
The recommendations called out in UL 2900-1 include these:
- Known vulnerability testing
- Malware testing
- Malformed input testing
- Structured penetration testing
- Software weakness analysis
- Static source code analysis
- Static binary and bytecode analysis
These practices, applied rigorously, would make the cyber security of medical devices vastly better out of the gate. But of course, the reality is that it will likely take a generation—perhaps more—of devices that comply with the standard to really change the world. Many devices now in use are made to last years—in some cases decades.
“This will not be an overnight process,” Clark said. “Even products that are in design may be delayed or ask for waivers.”
And he said it will likely take time for the standard to be refined to address the capabilities and function of devices.
“A prime example is fuzz testing requirements that a device must recover from a malformed injection in two minutes or less,” he said, noting that for some critical systems, that might be far too long. “Parameters for testing might be increased in order to protect the patient.”
Bottom line: “It may be years before the entire industry is up-to-speed,” he said.
But Fernando said while it could take as long as 25 years to replace the medical devices now in use, “a well-informed community could take actions to protect healthcare infrastructure, such as network micro-segmentation and product isolation.”
Which is a major start, and more than could have been said even two months ago.