Let's take a moment to get back to the basics of cybersecurity in medical product design. The goal is to prepare a solid list of things to be on the lookout for when doing a cybsecurity risk analysis.

Don't use hard-coded credentials

Hard-coded usernames and passwords are still one of the most pervasive trends in medical device design. It's not hard to see why they are so tempting. They are easy to implement and easy to keep track of. The problem is that they are hard to keep secret. All it takes is one leak and your entire product line is instantly insecure. Passwords need to be device-specific and easily changed in case something happens.

Sanitize your inputs

There was a time when it could be assumed that all input came from a trusted, knowledgable and non-malicious sources (e.g. a doctor or nurse). With the rise of connected medical devices, this is no longer the case. Any input from the network could be malicious and must be sanitized. Even rarely-looked-at standards need to be carefully examined.  For example, does your medical device accept HL7 v3 XML as part of LIMS communication? There are numerous XML vulnerabilities related to arbitrary XML document parsing that can cause your device to crash, potentially leak PHI, or be used to attack a hospital network. All of these attacks leverage standards compliant XML and can be used to abuse systems that don't authenticate before parsing. Many can be prevented by just disabling uneeded XML parser features.  All external input, no matter how trivial, even if it's "just XML", should be sanitized and evaluated for potential risk. 

‍

Update: See Part 2 of this series...

In an uncharacteristically quick move, the FDA released this official guidance less than a year after the draft was released for comments. This guidance for medical device manufacturers "recognizes today’s reality – cybersecurity threats are real, ever-present,  and continuously changing."

For more information on the FDA Postmarket Cybersecurity Guidance, see the below post from Dr. Suzanne B. Schwartz

http://blogs.fda.gov/fdavoice/index.php/2016/12/managing-medical-device-cybersecurity-in-the-postmarket-at-the-crossroads-of-cyber-safety-and-advancing-technology/

Click here for more information

The Medical Device Security 101 Conference, hosted by the University of Michigan’s Archimedes Center for Medical Device Security, is a 2-day educational workshop taking place in Lake Buena Vista, Florida from January 15-17, 2017 for medical device manufacturers, industry regulators, and healthcare providers to learn and speak frankly about medical device security threats and solutions.

This conference is a great way to learn about state of the art cybersecurity programs, and get hands on advice from industry experts on setting up your own.