Shostack + Friends Blog


Medical Device Security Standards

Recently, I've seen four cybersecurity approaches for medical devices, and we can learn by juxtaposing them.

The Principles and Practices for Medical Device Cybersecurity is a process-centered and comprehensive document from the International Medical Device Regulators Forum. It covers pre- and post- market considerations, as well as information sharing and coordinated vuln disclosure. It's important because for a device maker to have to comply with different standards in different countries at least drives up cost, and can easily lead to a situation where they're required to meet either contradictory or difficult to reconcile demands.

In contrast, the MITA has released a "material data sheet" for product cybersecurity. This one doesn't impose any requirements on the development process, but enumerates the information that professionals dealing with the device need to know. (Connectivity, updatability, et cetera. Roughly 250 questions of the form "Does the device employ any mechanism (e.g., release-specific hash key, checksums, digital signature, etc.) to ensure the installed software is manufacturer-authorized?")

MITA Releases National Standard for Medical Device Security, [link to no longer works] about disclosing what the device does - for example, does it send patient PII anywhere or listen on the network?

The MDS is factual — it doesn't judge the choices made, just makes them concrete. Compare to INCLUDES NO DIRT (covered yesterday) whose very name expresses intent.

Lastly, the Medical Device Innovation Consortium has been awarded funding for "Expansion of Case for Quality and Cybersecurity Threat Modeling." I cannot tell you how positive I think this development will be.