Posted by Chandu Ketkar on January 2, 2015
Medical device security is hard and there is no denying that most medical devices, especially those connected to the Internet, lack adequate security controls. As Dr. Gary McGraw and I discussed in our Search Security article, there is a lot of work to be done in the domain of medical device security. But, the good news is there are groups who are stepping up to meet the challenge head on. I was fortunate to lend my expertise to several of these initiatives including the National Science Foundation (NSF) and Institute of Electrical and Electronics Engineers (IEEE) sponsored workshop, “Creating a Building Code for Medical Device Software Security.”
The workshop brought 40 experts from the fields of healthcare, medical devices, and software security together in order to (1) establish an initial consensus among industry and academic participants of the components of a “building code” that would be appropriate to reduce significantly the vulnerability of medical devices to malicious attacks, and (2) establish a research agenda for the creation of evidence that could justify the inclusion of additional elements in such a code.
For two days we worked in groups of eight to determine which of the proposed list of 40-odd building code elements, including process level recommendations, compiler enhancements, obfuscation, encryption, hardware enhancement, and threat modeling, should be included in a useful structure that delivers prescriptive guidance for building code that will work within and provide mapping to the existing frameworks that include (1) the FDA’s guidance on cybersecurity and (2) NIST’s framework for improving critical infrastructure cyber security.
While this document is just the first of many steps needed to improve medical device security, I encourage you to use these results as you continue to develop code for medical devices. If you are interested in learning more about medical device security here are a few resources you may find helpful: