IEEE publishes medical device security guidance for software development

IEEE Cybersecurity Initiative is addressing medical device security with a new set of software development guidelines.

The guidance, Building Code for Medical Device Software Security, is authored by security research scientists Tom Haigh and Carl Landwehr and tackles "the bricks used to build the structure, not its architecture."

The devices the guideline addresses are wide-ranging, from wearables and bedside tools to MRIs and electronic health systems.

The guidelines are divided into 10 categories, some of which include the following:

  • Programming language selection, use and analysis.
  • Use of secure coding standards.
  • Providing audit trail for security-related events.
  • Digitally signed firmware and provenance. 

The U.S. Food and Drug Administration also published device cybersecurity guidance in October. For its guidance, the agency calls on device makers to account for cybersecurity risks during design and creation, and to submit documentation on any risks identified and controls developed to lessen such risks. FDA also says it wants to see manufacturers' plans for patching and updating medical software and operating systems.

The IEEE guidance is just a starting point for developers to "rule out the most commonly exploited classes of software vulnerabilities during the implementation phase," Landwehr, IEEE fellow and research scientist, said in an announcement.

"There is more work to do, so we encourage the industry to participate in our effort," he said.

Developers must think about device security from the start, rather than tack it on as an afterthought, the Atlantic Council in conjunction with Intel Security pressed in a recent report. The report called for improvements to public-private and private-private security collaborations, as well as an "evolutionary change of the regulatory approval paradigm" for medical devices.

According to the American Hospital Association, though, medical device cybersecurity should be the responsibility of device makers. In a December letter to the FDA, the assocation called on the agency to "hold device manufacturers accountable" for ensuring the safety of medical devices from cyberthreats. 

To learn more:
- check out the guidelines
- read the announcement