IEEE Releases Med Device Cybersecurity Guidelines

| Printer friendly version

Amid myriad media reports about potential vulnerabilities in medical device cybersecurity and the FDA’s efforts to strengthen medical device cybersecurity, the IEEE Cybersecurity Initiative released a report entitled “Building Code for Medical Device Software Security.” The report sets forth a set of elements aimed at reducing the vulnerability of medical device software to malicious attackers. The report employs a loose definition of “medical devices,” ranging from wearable devices to electronic health record systems.

The report highlights the most common types of software vulnerabilities that are exploited by malicious attackers.  The bulk of the report proposes standards for five software implementation considerations in ways to (1) avoid, detect, or remove specific vulnerabilities like using memory-safe languages, secure coding standards, and automated thread safety analysis; (2) ensure proper cryptography; (3) improve software integrity; (4) impede attacker analysis or exploitation; and (5) detect malicious attacks. The report further brings up four software design considerations about maintaining service during or restore service after an attack and supporting privacy requirements, but does not propose any standards. Finally, the report notes that the “building code” itself should be consistent in categorizing particular types of attacks and should be maintained over time.

The IEEE Center for Secure Design has also released “Avoiding the Top 10 Software Security Design Flaws,” to give advice on ways to address particular issues including data authentication, authorization, and validation; cryptography; sensitive data classification; and integrating external software components.

Leave a Reply

By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.