During a conference earlier this year, Suzanne Schwartz, M.D., MBA, director of emergency preparedness/operations and medical countermeasures at CDRH framed the problem of device security well: “Cybersecurity isn’t just a design issue. It’s not just at product launch. It’s a life cycle issue. It requires a change in mindset.”
Implementing a robust security plan for your medical device should be part of your commitment to your customers throughout the device lifecycle. Your customers want to know that the device will function as expected while protecting their information. Many customers are not aware of the multitude of ways that a device’s performance and data may be compromised and will rarely provide requirements that directly speak to security concerns; they just want the device to work as promised. When a customer uses your products, there is an implicit trust relationship that is formed. Product architects are challenged to address security to reinforce this relationship.
An experienced product architect will translate concerns about device lifecycle functionality and data confidentiality into a set of security-related requirements. This set of requirements starts with the regulatory requirements for the target device market. For example, according to IEC 60601 3rd Edition Section 14.13, “software that is intended to be connected by Network/Data Coupling to other equipment that is outside of the control of the manufacture, the manufacture shall list the HAZARDOUS situations resulting from a failure of the Network/Data Coupling”. Another example is in FDA’s cybersecurity guidance document (issued October 2014), which states, where appropriate, that a layered authorization model differentiated by the role of the user or device should be employed.
Ensuring device security often does not stop with meeting just the set of regulatory requirements. Firms generally search for ways to enhance security further, as they are very concerned about the cost of potential security breaches and the ever-changing landscape of sophisticated attacks. The cost of a security breach and violation of your trust relationship with your customers can be high. It can also have a large impact on your firm’s reputation as well as sales, which can alter how the market views your other products. Legislation (specifically the Health Information Technology for Economic and Clinical Health Act, or HITECH) now requires firms to disclose breaches with possible financial penalties. The number of sophisticated attackers is also increasing as more robust attack tools become available, in turn increasing the overall risk of a security breach.
Medical devices are increasingly becoming more complex and part of larger systems, adding to the challenges that product architects face. Security challenges are no longer confined to the device itself. The rapid rise in interoperability requirements and overall device complexity force product architects to think about security challenges more holistically. Often devices are part of a much larger ecosystem of care. A device may connect to a PC, which then connects to a server in the cloud to transfer key medical data. The data may then be analyzed with the information flowing back to the device, following the same path. Data leakage and malicious modification may occur anywhere along the two paths.
The use of standards-based technologies and protocols for connecting devices may also increase the chance of a sophisticated attack; an attacker can use the connection as a way to get into the device. As a responsible citizen within the ecosystem, the device must not only have a level of security within itself but also enable security (and trust) across the ecosystem.
Various system engineering techniques can help product architects better understand the overall problem and develop appropriate countermeasures to form elements of a security plan. Some key techniques include system threat modeling and risk analyses. In threat modeling, an evergreen list of attack modes are developed and tested against the product architecture. The results are understood and countermeasures are developed. It is very helpful to maintain a library of attack modes that can be reused against future product architectures. In understanding the failure modes due to security, one must also perform a risk analysis, gauging the level of severity of the failure mode, along with the probability of occurrence to finally develop an appropriate design countermeasure. For example, a life-threatening failure mode should have much higher priority than one that may be viewed as an annoyance and limiting in impact.
Usability studies must also be taken into account when considering design countermeasures. For example, in cases requiring an authentication/authorization framework to address confidentiality, the framework should match the threat level and risk analysis; not every device needs the same level of confidentiality protection since the data being protected may not be useful outside of the device. Care should also be taken to make sure the security measure is optimized for the computing power available to the device. For example, it may be difficult for smaller devices to perform complex cryptography. If this is an absolute requirement, it might require modifications to the microprocessor and application code. The key here is to have experienced product architects that can find the optimal level of security that enables the appropriate level of trust while also enabling a great user experience.
Your commitment to your customer does not end when they have purchased your device; it lasts throughout its lifecycle. Since the landscape of security challenges is continuously changing, you should also have a plan to address these challenges post launch. If there is a security breach, you may need a way to heal the breach in the field. You should also create a device end-of-life strategy. If there are concerns about data that is retained in the device, there should be methods to remove the sensitive data from the device or make it unusable when the device is being disposed.
Security lifecycle challenges are broad and deep, but they can be addressed using system engineering principles and experienced product architects. Addressing these challenges will help you to ensure a long-lasting trust relationship with your customers.