Amid myriad media reports about potential vulnerabilities in medical device cybersecurity and the FDA’s efforts to strengthen medical device cybersecurity, the IEEE Cybersecurity Initiative released a report entitled “Building Code for Medical Device Software Security.” The report sets forth a set of elements aimed at reducing the vulnerability of medical device software to malicious attackers. The report employs a loose definition of “medical devices,” ranging from wearable devices to electronic health record systems.
The report highlights the most common types of software vulnerabilities that are exploited by malicious attackers. The bulk of the report proposes standards for five software implementation considerations in ways to (1) avoid, detect, or remove specific vulnerabilities like using memory-safe languages, secure coding standards, and automated thread safety analysis; (2) ensure proper cryptography; (3) improve software integrity; (4) impede attacker analysis or exploitation; and (5) detect malicious attacks. The report further brings up four software design considerations about maintaining service during or restore service after an attack and supporting privacy requirements, but does not propose any standards. Finally, the report notes that the “building code” itself should be consistent in categorizing particular types of attacks and should be maintained over time.
The IEEE Center for Secure Design has also released “Avoiding the Top 10 Software Security Design Flaws,” to give advice on ways to address particular issues including data authentication, authorization, and validation; cryptography; sensitive data classification; and integrating external software components.