Manufacturers and developers of modern medical devices have to deal with hugely expanded threats. In this webinar with Q1 Productions, we'll share our experience with creating medical device software and its complexity. We’ll go through common areas of vulnerability for medical devices and talk about how to address these vulnerabilities in an efficient way.
3. Integrated Computer Solutions Inc. www.ics.com
How Do You Trust a Medical Device?
● Arbitrary Computation Possible with a modern CPU + OS
● Functionality constrained by software, not circuits
● Need to trust all of the software to trust the device
● Where does software come from? Can it be changed?
3
4. Integrated Computer Solutions Inc. www.ics.com
● FDA has dealt with a stream of high-profile cybersecurity issues
● Flaws found - Pacemakers, control units, heart monitors etc.
● FDA now paying ever-increasing attention to this area
● Expanded threats
● 30% more PHI breaches occurred in 2020
● More Medical Devices in Homes
● Windows often targeted but...
● Linux-specific threats emerging
● Hw Root of Trust counteracts
Threats to Medical Devices
Cybersecurity needs to be considered up front
6. Integrated Computer Solutions Inc. www.ics.com
Confidentiality
6
● Personal Information and Data
● Name/Address
● Medical information
● Credit Card Details
● Email addresses
● GDPR/HIPAA/Many other regulations
● Proprietary Information
● Trade Secrets
7. Integrated Computer Solutions Inc. www.ics.com
Integrity
7
● Risk of data being tampered with
● Identity spoofing
● Data Corruption
● Access-control tampering
● Weaknesses introduced
8. Integrated Computer Solutions Inc. www.ics.com
Availability
8
● Need data and functionality to be available when required
● Denial-of-service attacks can prevent this
● Data can be maliciously encrypted
● Ransomware
● Non-malicious events a major cause also
9. Integrated Computer Solutions Inc. www.ics.com
Cybersecurity Challenges
● Design to meet standards and minimize risk
● Forest of standards
● Threat landscape constantly evolving
● Design for maintenance
● COTS Sw - but Medical Device lifespan - >10 yrs
9
Requirements
& Design
Implementation
Deployment &
Production
● Implementation optimally
● Crypto - Securing Keys - Hw protection
● User Authentication
● Sw Update/Secure Boot
● Maintenance
● Monitoring
● Sw Update cost/complexity
10. Integrated Computer Solutions Inc. www.ics.com
Example of Cybersecurity Solution
● Cybersecurity solution developed for key customer
● Medical Device for testing - Touchscreen/QT based
● Device contains test results - potentially PHI (Protected Health Information)
● Cybersecurity Solution here is tied to CPU
● Hardware protection of Sensitive Data is critical
Device
Secure
Hw -
Root of
Trust
11. Integrated Computer Solutions Inc. www.ics.com
Device
Cybersecurity for a Medical Embedded Device
11
Qt Application
Linux
Bootloader
Secure
Boot
Secure Import/Export
(WiFi/Eth/USB)
Secure
User Login
Secure
Storage
Key
Storage
Sw Updates
Data from Device
Firewall
12. Integrated Computer Solutions Inc. www.ics.com
UL 2900
● Series of standards relating to cybersecurity and information security
● Aligns with FDA Guidance around Premarket Submissions for Management of
Cybersecurity in Medical Devices
● Aligns with NIST principles: Identify, Protect, Detect, Respond, Recover
● Uses NIST standards for many details around acceptable
encryption/verification algorithms etc
● Also aligns with the Postmarket Management of Cybersecurity recommended
by FDA
● Provides a Framework to structure submissions for regulatory approval
12
13. Integrated Computer Solutions Inc. www.ics.com
UL 2900 Series of Standards
13
General Product Requirements Industry Specific
ANSI/UL 2900-1
Software Cybersecurity
ANSI/UL 2900-2-1
Healthcare Systems
ANSI/UL 2900-2-2
Industrial Control Systems
ANSI/UL 2900-2-3
Security/Life Safety
14. Integrated Computer Solutions Inc. www.ics.com
NIST FIPS
200
User Auth
FDA
Pre-market Guidance for
Mgt of Cybersecurity in
Medical Devices
Standards Forest
14
UL 2900-1
Software
Cybersecurity
UL 2900-2-1
Healthcare
Sector
ISO 14971
Medical Device
Risk Mgt
NIST FIPS
140-2
Crypto
CFR 21 820
Medical Device
Quality
ISO 27000
Infosec Mgt
IEC 80001
Risk Mgt - N/W
with Medical Devs
ISO 31000
Gen Risk Mgt
FDA
Post-market Guidance for
Mgt of Cybersecurity in
Medical Devices
HSCC JSP
Medical Device
Cybersec
15. Integrated Computer Solutions Inc. www.ics.com
UL 2900 - Process and Design Mapping
15
Area UL 2900-1
Clause
UL 2900-2-1
Clause
Requirements
Documentation of
Product Design
Clause 4, 5 Clause 12 ● Design Documentation
● Interface List
● Software BOM
Documentation for
Product Use
Clause 6 Clause 6 ● Encryption of data at rest and in transit
● Authentication of comms
Risk Controls and
Management
Clause 7, 12 Clause 12 ● Risk Mgt Process
● Threat Analysis
● Traceability Matrix
● Risks, Vulnerabilities, Weaknesses
Software Analysis Clause 17, 18,
19
● Software Weakness Analysis
● Static Source Code Analysis
● Static Binary and Bytecode Analysis
16. Integrated Computer Solutions Inc. www.ics.com
UL 2900 - Functionality Mapping
16
Area UL 2900-1
Clause
UL 2900-2-1
Clause
Functionality
User Authentication Clause 8 Clause 12.4 ● Secure User Access
● Passwords
Remote Comms Clause 9 ● Encryption of data in-transit
● Authentication of comms
Sensitive Data Clause 10 Clause 16 ● PHI, PII, IP protection
● Encryption of data at rest/in motion
Software Update Clause 11 Clause 12.4 ● Encrypt and Authenticate Updates
● Restrict who can Update
● Secure Boot
● Product Decommissioning
● Security Log
17. Integrated Computer Solutions Inc. www.ics.com
UL 2900 - Security (Penetration) Testing Mapping
17
Area UL 2900-1
Clause
UL 2900-2-1
Clause
Functionality
Software Evaluation Clause 13 ● Check for known vulnerabilities
from NVD
● Process for handling security
vulnerabilities documented
Penetration Testing Clause 14, 15, 16 ● Malware Testing/Scanning
● Malformed Input Testing
● Structured Penetration Testing
● DoS test
● Elevate Privilege Test
● Scan ports, i/fs and services
18. Integrated Computer Solutions Inc. www.ics.com
Cybersecurity for Medical Devices vs Your Laptop
Your Laptop
● Regularly Updated
● Update
Reminders/Antivirus Sw
● Updates from
Microsoft/Sw Vendors
● General threats target
here first
●
18
Medical Devices Sw
● Seldom updated
● Limited interaction/visibility
with internals
● Updates from Manufacturer
● More specialised threats
●
19. Integrated Computer Solutions Inc. www.ics.com
The Chain of Trust
19
‘Human error’ leading cause of data breaches
Cloud Hosting
App Developer
Sw Developer
MDM
Healthcare
Organization
20. Integrated Computer Solutions Inc. www.ics.com
The Chain of Trust for Secure Deployment
20
Deployment of a Secure Medical Device needs up-front planning
Protected
Devices
Manufacturing
Trusted
Secrets/Keys
Organization
Root of Trust
21. Integrated Computer Solutions Inc. www.ics.com
About ICS and Boston UX
Creating Transformative Products That Advance Patient Care
21
www.ics.com/medical
ICS’ design studio
specializes in intuitive
touchscreen and
multimodal interfaces for
high-impact embedded and
connected devices.
Established in 1987, ICS delivers innovative
medtech solutions with a full suite of
services to accelerate development, testing
and certification of successful next-gen
products.
ICS and Boston UX are headquartered in
Waltham, Mass. with offices in California,
Canada and Europe.
22. Integrated Computer Solutions Inc. www.ics.com
Delivering a Full Suite of Medtech Services
22
● Human Factors Engineering
● IEC 62366-UX/UI Design
● Custom Frontend and Backend Software Development
● Development with IEC 62304-Compliant Platform
● Low-code Tools that Convert UX Prototype to Product
● Medical Device Cybersecurity
● AWS and Azure Cloud Services and Analytics
● ISO 14971-Compliant Hazard Analysis
● Software Verification Testing
● Complimentary Software Technology Assessment