Tuesday, April 4, 2023

Finally some better medical device cyber security

I've been posting about problems in the security of medical devices for a long time (example post here).  New standards are now emerging that may improve things:

Effective immediately, medical device manufacturers are advised to submit "a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits."

Manufacturers are also asked to "design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure." This includes making patches available "on a reasonably justified regular cycle," and for newfound critical vulnerabilities, "as soon as possible out of cycle."

In other words, medical device security needs to enter the Twenty Teens.  Small steps, but small steps forward.

3 comments:

ASM826 said...

Better than the current guidelines, that require devices to certify on an O/S, and cannot be upgraded without recertification. When I left the industry, there were devices we had to sandbox behind hardware firewalls due to vulnerabilities that could not be patched. Mission critical medical equipment running versions of Windows like 2000, XP, or Vista.

Old NFO said...

Closing the barn door after the horse is three counties over... sigh

Roy said...

A big part of the problem with cybersecurity on medical devices is the FDA itself. If you have, say, an MRI machine with a host computer that is running an O/S like Windows 10, every single patch, not just to the measurement application, but to the O/S itself must be certified by the FDA. What this meant is that timely patches were impossible, so we did them in batches every six months or so.