INTRODUCTION:
Modern medical devices are gaining complexity, and as connectivity to the internet, cloud, and outside world increases, so does the security challenge. Further, medical devices for home use are increasing exponentially, so devices must withstand a non-clinical environment, communicating on insecure home networks. And with medical devices, security risks are also safety risks, which increase development costs and liability. Medical device software developers need improved development approaches, tools, and techniques to overcome these challenges.
Related:
- The Role of Static Analysis in Management of Cybersecurity in Medical Devices
- Designing Security into Medical Device Software
- Static Analysis and IEC 62304
Complexity and Connectivity
Medical device software grows in complexity each year. This is a direct result of several factors, inlcuding increased functionality, safety, and security requirements, as well as the connectivity and consolidation of multiple functions into single devices. The expectation of each new generation of medical device is that it is smarter, better, faster, cheaper, safer, and more secure than the previous generation. However, the biggest recent change is the growth of home health care, personal medical devices, and the desire to connect devices together for improved control, monitoring, and reporting. This growth into connected health care devices means that medical devices are exposed to more potential security threats than ever before.
Multicore Platforms
Multicore hardware platforms are a reality for medical devices, and while they bring unprecedented power to performance ratios, software development on these new platforms introduces new complexities. New programming techniques are often required, as is much more thorough debugging and performance testing. Developing securely and safely on multicore is still a relatively new territory, adding an additional risk factor to medical devices.
Cloud and Internet of Things
Medical device connectivity and the increasing use of cloud storage, analysis, and control mean better results for patients; however, such connectivity raises new privacy and security concerns as well. A larger emphasis on security is required in medical devices, which the FDA has recently addressed in its guidance on managing cybersecurity. Read more about this new guidance in a previous post.
Competitive Advantages
Despite the potentially overwhelming new challenges facing modern medical devices, being able to succeed in this new environment will continue to become a significant competitive advantage. Medical devices that support secure connectivity to protect user data are highly preferred. Devices that exploit new hardware advancements while maintaining robust operation win out over devices with higher power consumption and bill of materials costs. Medical devices developered to up-to-date methodologies with due diligence in safety and security, have much lower lifecycle costs over the competition. Overcoming these new challenges by leveraging new methods, new standards, and advanced tools can give you the advantage you need.
New Approaches
New approaches to medical device software development will be required if current development can’t keep pace with market challenges. The following guidelines help lower risk and liability in the face of big changes in device development:
- Training on and adoption of new software development, safety, and security best practices and guidelines: Software development is evolving along with techniques and methodology for security-critical and safety-critical devices. A long-term plan for the adoption of incremental and iterative development, risk management, and security best practices will prove to be beneficial both in product quality and development productivity.
- Design with a security-first philosophy: As discussed in an earlier post, treating security as a primary requirement alongside safety and functionality will be crucial in developing secure medical devices. Security can’t be added on later.
- Combine risk management with security threat analysis and assessments: As with treating security properly at all stages of development, security must be part of a medical device risk management plan. An insecure device is most likely not a safe device.
- Integrate development and testing tool automation: Software development tools are advancing along with new techniques and methodologies. Advanced static analysis tools such as GrammaTech CodeSonar play an important role in automating the detection of defects and security vulnerabilities. CodeSonar forms part of a modern tool chain that is critical in seizing the increased security, quality, and safety that new techniques and approaches offer.
- Inspect third-party code – open source, legacy, and commercially supplied: Most projects require reuse or build upon open-source or commercial products. In addition, medical device software must deal with the security and risk of software of unknown pedigree (SOUP) specifically. Assessing the quality and security of third-party code, in part with the aid of advanced static analysis, can reduce risk of using third-party code.
- Continuous security and safety audits: Auditing the software under development on a continuous basis and ensuring quality, security, and safety at all stages is critical to success. Ensuring products meet the audit standard before shipping illustrates proper due diligence and risk management required for FDA pre-market approval, for example.
This list may seem like a tall order to adopt in the short term; however, it’s meant to be a long term recommendation. For an example of what to do now, another post discusses a security audit as a way to understand your starting point.
CONCLUSION:
Medical device software developers need to deal with changing market challenges. Security has become a number one concern, but safety and adapting to new market requirements remains important. Adopting new strategies and approaches to software development will help teams evolve their development process, tools, and techniques, to adapt to the changing marketplace. Companies that evolve to this challenge the best stand to reap the benefits of a fast growing market.
