Medical Device Security Best Practices
Growing concerns surrounding medical device security are increasing across the globe. In the U.S., new legislation is being introduced due to the increasing number of connected devices and a cyberattack’s ability to disrupt patient care.
On June 8, 2022, the U.S. House of Representatives passed bill, H.R. 7667, which in addition to several other items, is meant to address the cybersecurity of medical devices. Specifically, the bill works to clarify what should be considered “reasonable” security for medical devices.
Here, we discuss what’s included in the bill for medical device security and what you can do to prepare for it.
What Is the Bill?
H.R. 7667 includes requirements for ensuring cybersecurity throughout the lifecycle of a cyber medical device, which is defined as:
- Including software, as is or in a device.
- Having the ability to connect to the internet.
- Containing any such technological characteristics that could be vulnerable to cybersecurity threats.
How Does the Bill Impact Medical Device Security and Medical Device Software Developers?
The bill specifies that, at a minimum, medical device manufacturers must:
- Have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures.
- Design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure.
- Make available updates and patches to the cyber device and related systems throughout the life cycle of the device.
- Provide in the labeling of the cyber device a software bill of materials.
- Comply with such requirements may be required in order to demonstrate reasonable assurance of the safety and effectiveness of the device for purposes of cybersecurity.
How to Prepare for the Bill: Medical Device Security Best Practices
To effectively prepare for the medical device security bill, you should adopt the following best practices.
FDA Cybersecurity Guidelines
FDA cybersecurity guidelines outline how to keep medical devices secure and help meet
the requirements for clearance. The guidelines provide directions on how to:
- Provide documentation related to design controls, which must include documentation on design validation, software validation, and risk analysis.
- Ensure that incoming data is compliant with the required specifications and not modified in transit or at rest.
- Use industry-accepted best practices as these maintain and verify the integrity of code while it is executed by the medical device.
- Design the medical device to detect and respond to cybersecurity risks, which includes cybersecurity updates, patches, and emergency workarounds.
- Implement medical device features that protect critical functionality and data, even if the medical device’s cybersecurity is compromised.
In addition, to the above guidelines, you must also use a risk-based development strategy. Under the guidelines, a medical device will be classified as one of two tiers:
- Tier 1: Connected devices that could greatly impact patient care if they were compromised. These devices have a higher risk of cybersecurity threats.
- Tier 2: These devices are at risk for standard cybersecurity risks and includes all other devices that cannot be classified as Tier 1.
Regardless, for both tiers, you will need to complete the following:
- Conduct a thorough risk assessment to identify software security vulnerabilities.
- Understand the potential impact that each vulnerability could have, both on the medical device and the patient.
- Address software security vulnerabilities.
- Use design controls to ensure security.
- Establish data integrity requirements.
By following risk-based practices, you can more effectively address risks as they arise rather than after release when they can be more costly to fix.
For more information on FDA cybersecurity guidance, visit FDA CYBERSECURITY.
Medical Device Security Standards and Guidelines
Medical device development is highly regulated worldwide, which includes several key regulatory standards:
- ISO 13485 is a regulatory standard that specifies the quality management requirements for medical devices.
- ISO 14971 is a risk management regulatory standard for medical devices.
- FDA regulations are U.S. standards for medical device compliance.
- EU Medical Device Regulation is an EU standard that replaced the Medical Devices Directive, which covers the clinical investigation and sale of medical devices for human use.
However, the most relevant and essential international standard for medical device software is IEC 62304 “medical device software — software lifecycle process”, which applies to the development and maintenance of medical device software. It provides processes, activities, and tasks to ensure safety.
The standard includes software safety classifications to determine the safety-related processes that will need to be followed. This impacts the entire software development lifecycle.
There are three safety classes for medical device software:
- Class A: No injury or damage to health is possible.
- Class B: Injury is possible, but not serious.
- Class C: Death or serious injury is possible.
Compliance with IEC 62304 is essential as it satisfies the requirements of other regional standards. For example, the FDA accepts demonstration of compliance to IEC 62304 as evidence that regulatory processes have been fulfilled.
In addition, MISRA is often used in the development of medical device embedded software. This helps to meet the software acceptance criteria defined in IEC 62304.Back to top
How Static Analysis Supports Medical Device Security
One of the simplest ways for you to effectively ensure that your medical device software is compliant and secure is to use an industry-standardized tool — specifically a static analysis tool.
- Enforcing coding standards and guidelines, including IEC 62304, CERT, and MISRA.
- Detecting code vulnerabilities, compliance issues, and rule violations earlier in development.
- Accelerating code reviews and manual testing efforts.
- Reporting on compliance over time and across product versions.
In addition, both Helix QAC and Klocwork are certified for use for safety-critical systems by TÜV-SÜD, including IEC 62304 up to Software Safety Class C.
See for yourself how Perforce static analysis tools can help ensure that your medical device software is compliant and secure. Request your free 7-day trial today.Back to top