Guest Column | September 15, 2017

6 Security Considerations For FDA's New Medical Device Pre-Cert Program

Data Security

By Matt Clemens, Security Solutions Architect, Arxan

In healthcare, the speed of innovation is more critical than in other industries. Lives depend on it. So the FDA’s recent decision to increase the pace of delivering new life-saving medical devices to market is a significant step.

With this new Pre-Cert for Software Pilot Program, the FDA has acknowledged that the traditional approach to hardware-based medical devices is not well suited for the faster and iterative design, development, and validation used for software products. One of the program's primary goals is to assure software iterations and learnings can be quickly incorporated back into the software development process.

Rather than target finished products, the Pre-Cert program is aimed at digital health developers who demonstrate a culture of quality in software design, development and testing. Once certified, these developers can market their lower-risk devices without additional FDA review.

The FDA recognizes mobile health technologies can have significant benefits to patients' lives by facilitating prevention, treatment, and diagnosis — as well as helping patients manage chronic conditions outside of traditional healthcare settings.

Patients entrust their personal safety and lives to medical devices every day – from pacemakers and insulin pumps to hospital infusion pumps and other devices. Many of these “traditional” medical devices can be monitored and managed by smartphones and other consumer devices. They are also supplemented by wearable technologies and other Internet of Things devices.

All of these medical devices can be vulnerable to compromise if the apps that drive them are insufficiently protected. In addition to medical data privacy concerns, when it comes to medical devices and personal healthcare information, insufficient security can alter the course of treatment and can lead to false monitoring, or even be a matter of life and death.

These issues are already plausible entertainment fodder. On television’s Homeland, the vice president of the United States had a forced heart attack when firmware on his pacemaker was exposed to terrorists.

The risk is not just Hollywood hype; it's real. The aforementioned Homeland story line is made even more startling by the fact that this was based on a real security concern over former Vice President Dick Cheney's pacemaker implanted in 2007. Historically, the medical device industry has been marred by several other concerns around security vulnerabilities. In 2015, the FDA issued a warning about infusion pumps installed in more than 400,000 hospitals that could have been maliciously taken over to deliver lethal doses of medication to patients receiving IV drips. Additionally, just last year the FDA issued a warning about cyber security vulnerabilities in St. Jude Medical’s implantable cardiac devices.

Any connected medical device is a point of exposure. Once medical devices are in use, they need to be securely updated and frequently enhanced. They also need the ability to defend themselves from modifications from hackers.

I recommend that participants in the Pre-Cert program address six specific security concerns.

Secure The Application

In addition to securing access to the application on the device, place particular attention on preventing embedded and mobile apps from being tampered with or modified. Once hackers access the app source code, an application can be decompiled and modified with malicious code aimed at exploiting anyone using that particular mobile application to connect to their medical device.

Prevent Cryptographic Key Exposure

A potential vulnerability is security around cryptographic keys. Once hackers have exposed the key, sensitive data can be exposed. Identify where the crypto key is stored, determine how it is generated and test for crypto key vulnerabilities to prevent exposure.

Protect Embedded Apps And SDKs

Prevent access to sensitive information and data by securing embedded application and SDKs. Once SDKs are compromised, hackers can alter application logic or device firmware.

Protect Apps In Untrusted Environments

Once apps are published in public apps stores, users download them to unknown and potentially untrusted devices. If mobile devices are jailbroken or otherwise compromised, attackers have greater opportunity to break into applications and updates right from the source. If attacked, apps can be reverse engineered and data exposed to further malicious attacks.

Evaluate Opportunities For Machine Learning

The healthcare industry is already using machine learning for disease diagnosis, personalized medical treatment and drug discovery. As the numbers and types of medical devices continue to grow, machine learning can be applied to detect abnormal security patterns across different types of devices. Prioritize discussions about the future of machine learning in healthcare, and address any foreseeable trends or concerns that may result from its increasing popularity.

Share Best Practices

Use this Pre-Cert program as an opportunity to collaborate and share medical device security best practices among peers. The traditional software market has benefited from open source initiatives where developers encourage collaborative work by opening up source code for modification and community-oriented development. This embraces the transparency of a peer-review process and aims for higher quality and lower cost of software. By following that model of open exchange, healthcare software providers can stay a few steps ahead of attackers.

Security is not a single step process. The FDA’s Pre-Cert medical device program advances security for healthcare applications, and the developer community should seize it as an opportunity to harden the process.

In most industries, security is the lifeblood in trust with the public. In healthcare, it can represent the difference between life and death.