News Feature | May 20, 2015

IEEE Unveils Guidelines For Medical Device Software Security

By Jof Enriquez,
Follow me on Twitter @jofenriq

Internal Threats Concern To Healthcare Providers

The Institute of Electrical and Electronics Engineers (IEEE) recently unveiled basic guidelines to help manufacturers avoid or reduce cybersecurity threats that allow medical devices to leak sensitive data, or to have their function altered.

Entitled Building Code for Medical Device Software Security [PDF], the set of guidelines aims “not to assure that future medical devices can resist every imaginable attack, but rather to establish a consensus among experts in medical devices, cybersecurity, and computer science on a reasonable model code for the industry to apply.”

A group of 40 volunteers with varying backgrounds in cybersecurity, programming languages, software engineering, medical device development, medical device standards, and medical device regulation worked together to create the elements and structure of the code. They also participated in a two-day workshop in November 2014 to write the final draft of the code. The workshop was co-sponsored by the IEEE Cybersecurity Initiative and the National Science Foundation (NSF).

“Similar to building codes that were developed over centuries to guide the production of physical buildings, the elements contained in Building Code for Medical Device Software Security are intended as the beginning of a model code for software security for the medical device industry,” stated Carl Landwehr, IEEE Fellow and research scientist at the Cyber Security Policy and Research Institute at George Washington University. Landwehr was the workshop co-leader and the draft code report's co-author.

Most elements of the draft code pertain to the implementation phase, which the IEEE describes as the main source of software errors and vulnerabilities in medical devices. The design and test phases of the code need to be expanded with further input from engineers, programmers and researchers.

“This is just a starting point that developers can use to rule out the most commonly exploited classes of software vulnerabilities during the implementation phase,” said Landwehr. “There is more work to do, so we encourage the industry to participate in our effort to create a foundation for a more complete code for the medical device industry to apply.”

The release of IEEE's code for medical device software security comes amid the rising threat of malicious attacks against medical devices.

Late last year, The Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) began investigating a number of devices — like infusion pumps from Hospira and implantable cardiac defibrillators from Medtronic — that were subject to successful hacking attacks.

Recently, a team of scientists at the University of Washington (UW) hacked a surgical robot to demonstrate the vulnerability of certain systems to cyber threats. Other experts also have voiced concerns that devices currently under development — such as artificial pancreas devices — are vulnerable. 

The U.S. Food and Drug Administration (FDA) released a cybersecurity guidance document in October last year. The guidance urges manufacturers to include cybersecurity as a component in the design and development process, which will help identify risks specific to each device.