framework that defines 18 families of
cybersecurity controls (see sidebar) that
can be used to identify relevant cybersecurity vulnerabilities for medical devices
or mHealth apps. These resources provide best practices for medical device
development, vulnerability assessment
and post-market updates.
Device developers can use these
guidelines when creating a cybersecurity
plan for medical devices, and their plan
should include several components that
span the development process.
Before device design begins, manufacturers should perform market
research and analysis to identify relevant and emerging cybersecurity risks
and stakeholder requirements. Many
hospital purchasers now write cybersecurity requirements into purchasing
contracts and expect written documentation of the cybersecurity plan.
Cybersecurity needs to be built into
the design process from the beginning.
This should include development of a
device-specific threat assessment that
characterizes, models and measures
threats specific to the device, such as
points of connection, methods of updating code, data storage and data transmission. The threat assessment will help
developers make design decisions that
minimize cybersecurity risks.
Generally, vulnerability should
be assessed at the prototype or pre-
launch phase. This may include pen-
etration testing, in which security
experts try to break into the device.
It also may include “fuzz testing,”
in which the device is flooded with
massive amounts of mutated data to
uncover the potential for abnormal
behavior, crashes or data corruption.
Vulnerability assessment can help
uncover conditions that may result in
the device returning bad data.
After market release, develop-
ers need to have a plan for updating
the device as new security threats are
identified and the software ecosystem
surrounding the device changes. For
example, an update to an operating
system or a browser on a computer
that connects to a genetic sequencer
may necessitate updates to the code
of the sequencer itself. Newly discov-
ered viruses also may drive software
updates. Developers must have a plan
to make these updates securely, with-
out opening up new vulnerabilities.
It also is recommended that developers have a responsible disclosure
policy in place to collect and respond
to vulnerabilities discovered by users
or security professionals once the
device is on the market.
There could be some bumps in
the road. After all, precision medicine is still in its infancy. As exploration continues to reveal the links
between genes, environment, behavior
and health outcomes, the applications
for precision medicine are likely to
explode. The success of that growth
depends on the security and integrity
of the data used to drive decisions.
If cybersecurity is not part of a company’s core expertise, a good strategy is
to bring in security experts for objective
third-party opinions or to assist with
threat assessment, secure device development and vulnerability testing.
No device ever is 100 percent secure,
but medical device developers who integrate cybersecurity throughout their
development process will be well-prepared to address and mitigate potential
data security risks. A comprehensive
approach to cybersecurity will help protect the privacy and integrity of patient
data, building trust among users and
buyers and reducing liabilities. Increasing the security of medical devices creates a solid foundation of trustworthy
data for precision medicine to grow on.
Stephanie Domas is lead security engineer for Battelle’s DeviceSecure Services.
Dr. Nancy McMillan is a manager and
research leader at Battelle. The views
expressed here are theirs alone.
contact: Stephanie Domas,
and Nancy McMillan,
Medical Device Cyber Vulnerabilities
The NIST has developed a framework for medical device
cybersecurity that defines 18 families of cybersecurity controls.
For more details on each of these controls, go to http://csrc.nist.gov/,
and in the search bar, search for “ 18 separate families.” They include:
Awareness and Training.
Audit and Accountability.
Certification, Accreditation and
Identification and Authentication.
Physical and Environmental
System and Services Acquisition.
System and Communications
System and Information