There are some interesting influences on medical devices related to cyber security (yeah, I know, cyber. Common parlance is common parlance.) that you may or may not be aware of. I am not saying that medical devices are special snowflakes and nobody else knows our pain, but there are some things that are worth mentioning when we talk about cyber security in the context of medical devices.
Today we will explore the co-dependent trilogy of patient safety, validate state, and cyber security.
Let’s start with patient safety. Patient safety is paramount when we are talking about making changes to medical devices. This is especially true for devices that can kill or seriously harm you like infusion pumps and x-ray machines. It is less so for things like ultrasound machines and blood pressure cuffs. However, this is always the first question that must be asked when we start to make a change for security purposes. Will this increase, decrease, or be net neutral from a patient safety perspective.
Note: There is an underlying concern about usability that sneaks in to patient safely. It relates to making sure the device can be used in a situation where time lost using the device can equate to harm to the patient, i.e. can’t get an x-ray quickly enough because of poorly designed security controls which means the surgeon doesn’t know exactly what to do and the patient dies.
Validated state. What the heck is that? I had no idea before coming to work for my current employer. The validation process performed on a medical device is when the manufacturer implements procedures to ensure that the product
“meet[s] specific requirements for identity, strength, quality, and purity. In order to comply with cGMP, companies are required to record, track, manage, store and easily access various production documents and their detailed change history including Standard Operating Procedures (SOPs), Master Production Batch Record (MPBR), Production Batch Record (PBR), Equipment log books etc.”
That quote is taken from this page. If you really want to punish yourself, you can read the actual FDA guidance on this here. What does that mean in regards to real life and cyber security changes? It means that for every change to a medical device, the manufacturer MAY be required to perform a complete validation cycle. These validation cycles are expensive and time consuming.
Luckily, recent pre and post-market guidance from the FDA have clarified some things directly related to security updates that allow for a less strenuous validation process and there has always existed the possibility for a less intrusive process to be performed referred to as verification.
This brings us to cyber security. Cyber security engineering for medical devices, as in all development, is best done early and often in the development process.This ensures that patient safety concerns are constantly addressed and the device’s security stance is inherently included during any validation efforts. That takes care of development. Simple, huh? Of course, as the saying goes, “Simple doesn’t mean easy.”
What about security patching? If it can be demonstrated that the installation and/or configuration change being made does not affect the intended use of the device, a full validation cycle may not be needed. However, if it does, then validation must be done. This is a contributor to why you will see what appears to be rather long patch release schedules for some medical devices.
This is my no means a full treatment of these topics, but I thought it was worth a few words.