Medical devices are only as secure as the software they run on and it has been well-documented that software security remains an issue in this critical domain. The U.S. FDA and Department of Homeland Security are actively addressing vulnerabilities and raising awareness, but we remain in a reactive, “discover-patch-release” mode. In fact, the current, booming market for cybersecurity professionals in general appears to be based on a reactive stance. There’s a better way – the time-tested ounce of prevention.
Many if not most medical device software vulnerabilities – those actually exploited in current attacks – I would characterize as implementation errors in the software. They’re not design errors. They’re basically mistakes in programming. Hackers exploit these mistakes, enabling them to take over systems including, unfortunately, medical devices. The good news is that, to a large degree, these programming errors are avoidable.
My colleague Tom Haigh and I have written and the IEEE Cybersecurity Initiative has published “Building Code for Medical Device Software Security” to address the issue. This modest paper grew out of a workshop on the topic that we held in New Orleans in November 2014. To some extent the paper presents a set of components that represent the consensus of the group that attended that workshop.