Medical devices, which are more complex than ever, face new security challenges. Especially since they are connected to the outside world for remote access, and monitoring, or used in home care applications. These risks increase the stakes in terms of product safety liability for manufacturers as security vulnerabilities can impact human lives.
Unlike enterprise and government technology where cybersecurity has been a mainstay for years, product security is a relatively new discipline for medical device manufacturers. Meanwhile, the use of third-party software, including open-source components, and libraries, in connected devices further raises the ante, making software supply-chain security increasingly critical.
Even though threat assessment and mitigation of third-party components is still an emerging discipline, some early medical device specific standards, such as ISO/IEC 62304, do provide guidance for defining risk and quality driven processes for medical device software development.
The FDA also recently issued new draft guidance for medical device manufacturers on how to address cybersecurity risk for premarket approval of equipment. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, includes guidance for generating a SBOM (software bill of materials). This draft guidance mandates that manufacturers provide SBOMs identifying third-party and open-source components, and proving they are capable of updating and patching security issues in the premarket submission of their devices.
Given these challenges, a new approach to medical device software development is required to keep pace with market challenges and lower the liability associated with product safety and security. Here are four pillars for managing the medical device software supply chain.
- Design with a security-first philosophy: Treating security as a primary requirement alongside safety and functionality is crucial in developing secure medical devices. Security can’t be just added on later.
- Shift left security: The best time to detect security vulnerabilities is as soon as developers write new code (or test cases) and before it’s submitted to a build or software control system. Finding and fixing vulnerabilities as early as possible in the SDLC (software design life cycle) reduces risk, costs, and delays.
- Assess third-party code software: Most projects require the use of open source, commercial, and SOUP (software of unknown pedigree). Perform software composition analysis of all third-party software to create SBOMs, detect for security vulnerabilities and enable remediation, and risk reduction.
- Continuous audits: Auditing software under development on a continuous basis to ensure quality, security, and safety at all stages is critical to success. Ensuring that a product meets audit standards before shipping illustrates proper due diligence and risk management required for FDA premarket approval.
While this list seems like a tall order to adopt in the short term; software supply chain security is a long-term problem. Start small and implement these best practices gradually. Near term, application security testing and analysis tools can improve security of newly developed code and help catalog the risks present in third-party software already in use.
Medical device software developers need to adapt to changing security dynamics. The horse has left the barn, and the use of third-party software and open-source code in embedded medical applications is now the norm. Therefore, a proactive risk management process to ensure the safety and security of the software supply chain is required.
Implementing these four security pillars at every stage of the SDLC will help ensure you diagnose problems early and cure them before they reach an advanced stage that can result in product delays or recalls.
Vince Arneja is the chief product officer at GrammaTech, Maryland. He has more than 20 years of management experience in product strategy spanning application, cloud, mobile, endpoint, and network security. Arneja also serves as an advisor to various cybersecurity companies.
Peter Winston is the founder and CEO of ICS (Integrated Computer Solutions), Massachusetts. ICS creates embedded touchscreen, voice and gesture-powered smart devices and products – everything from high-performance medical devices, in vitro diagnostic instruments, and scientific software to embedded air traffic control systems, smart agri-business equipment, and in-vehicle infotainment systems for Tier-1 automakers.