Episode 5 · November 26, 2024 · 28m listen · 461 words · ~2 min read

Building Resilient Medical Devices: A Look at the Essential Technologies and Infrastructure | Ep. 4 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 5 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

This episode of "The Med Device Cyber Podcast" delves into the critical security considerations for medical devices during the design phase, focusing on preventing vulnerabilities and addressing regulatory requirements. It highlights the FDA's key areas for cybersecurity, emphasizing the distinction between functional and non-functional requirements, with cybersecurity often falling into the latter. The discussion covers eight essential cybersecurity controls: authentication, authorization, cryptography, code data and execution integrity, confidentiality, event detection and logging, resilience and recovery, and firmware and software updates. The podcast provides practical examples, such as the risks of default credentials, broken authorization, and unencrypted hard drives. It also explores the multi-patient harm view, a significant concern for the FDA, detailing how a breach can affect numerous patients. The hosts advocate for a secure software development life cycle (SSDLC) and DevSecOps, stressing the importance of integrating security early in the design process to save time, money, and avoid costly redesigns. This episode offers valuable insights for product security teams, regulatory leads, and engineers navigating the complex landscape of medical device cybersecurity.

Key takeaways from this episode

Cybersecurity considerations should be integrated early in the medical device design phase to prevent vulnerabilities and address regulatory requirements effectively.
The FDA emphasizes eight key cybersecurity controls: authentication, authorization, cryptography, code data and execution integrity, confidentiality, event detection and logging, resilience and recovery, and firmware and software updates.
Authentication involves proving user identity, often enhanced by multi-factor authentication, while authorization ensures users only access data they are approved for.
Cryptography is crucial for data at rest and in transit, protecting sensitive information from unauthorized access and ensuring data integrity.
Code data and execution integrity focus on preventing tampering of software, data, and runtime environments, often employing secure boot and audit trails.
While convenient, remote firmware and software updates introduce potential security risks, necessitating secure update infrastructures and careful consideration of the attack surface, particularly regarding network connectivity.
Implementing a secure software development life cycle (SSDLC) from the initial inception phase is paramount to developing resilient medical devices, reducing remediation costs, and avoiding significant redesigns later.
Medical device manufacturers must consider the unique attack surface and specific security needs of each device, as the term "medical device" encompasses a vast range of products with varying complexities.

Full episode transcript

Hey there, welcome back! Today, we're going to be talking about security considerations as part of the design phase of a device and what can be done to prevent vulnerabilities from popping up further right in the development process. We'll also look at some of the big considerations as far as the areas that should be covered by security in the eyes of regulatory bodies such as the FDA. Sounds pretty serious stuff. Oh, yeah, yeah. When we're looking at medical devices and the impact of breaching them, it can get pretty serious. Alright, and where do these controls come from? Are these standard best practices or where do they come from? These controls are partially going to be standard best practices industry-wide, and they're also going to come from the FDA's requirements since that's what we have the most experience dealing with. What we see the most of and what the FDA sees as the most important areas to address cybersecurity. Okay, awesome. So I think one of those requirements is authentication, is that correct? Yeah, and how we're getting to the controls around these requirements. So I want to talk a little bit about a requirement in a device. Period. So there can be a good place to start, we should back up a little bit and talk about that. Yeah, yeah, all right, go ahead. Sorry, there are going to be the functional requirements in a device. So if I have my cell phone right here, a functional requirement is put a password in place to log into the phone. Now, the non-functional requirement there might be how is that password protected? Is it just stored in plain text somewhere in the phone where if someone gets in they can just read it? Is it hashed in some way? Is it stored up in the cloud? Is there an authentication manager? The non-functional requirements are sort of where it can get a little bit murky and where security really needs to be looked at. So for each of these items, they are typically going to be the non-functional requirements that we're looking at more. And for each of the functional requirements, we need this kind of like cybersecurity as a whole isn't cybersecurity as a whole like a non-functional requirement typically? Pretty much. A lot of people see cybersecurity as a necessary very evil. It's that one thing you have to do once a year to make sure that you're able to keep selling your product, which is often a hard way to think about it since that means you're often not addressing security at the very beginning and often making it a little bit harder on yourself later down the line. So that's what does that mean,