Ask HN: What are some good resources to understand medical device cybersecurity?

[mriguy]

Medical device cybersecurity has become a significant area of focus for the FDA. Starting Oct 1, 2023, the FDA will issue a 'Refuse To Accept' letters to 510K submissions that do not comply with the amended Section 524B of the FD&C Act.

Most of the online resources related to medical device cybersecurity are from companies selling solutions.

Are there examples of high-quality independent blogs, resources for medical device professionals to refer to educate themselves?

[gmassman]

Use best IoT practices. Treat a medical device like any new product whose data you want to remain secure. On the device itself, ensure your firmware is inaccessible to curious hackers. Most MCUs provide read back protection so enable it! Ensure OTA updates are encrypted and signed, and only verified bootloaders can decrypt and install firmware. All network communications should be encrypted too; use HTTPS or similar protocols and treat your device certs like you treat your firmware.

On the backend, use web API security best practices. This means only allow API access to authorized devices and/or users. Keep your database secure. There’s tons of resources out there about how to build a secure backend.

Cybersecurity isn’t nearly as complicated as marketers and would-be consultants paint it out to be. Granted, programs are complicated (firmware especially), so invest heavily in good testing to catch insecure code before they manifest into issues.

As far as the FDA is concerned, document everything, probably more that you think is necessary. Write up a clear set of requirements, verification and validation plans, and very thorough design documents. This benefits both them and any future team members that may need to work on the project.

[simne]

I few times touched with subject, must say, this is mostly comedy or parody.

Because, regulators are extremely conservative, devices have extremely long lifetime.

Example, people asked me, where to buy USB flash with two tails - they used old embedded Windows on integrated into medical device computer, and regulations require to remove network devices, even prohibited to connect network USB dongle (sure, guy tried, but network drivers disabled in OS).

Interest, that people could install on that computer 3rd party applications, even games.

And that two-tail flash used to integrate those computer to medical database of organization - for me, this is just security WTF.

So, in reality, old systems live within old rules, which just don't know modern off-the-shelf technologies, and even when it is possible to make upgrade to modern safety techniques it is not considered.

As alternative example, not ideal, but.. Japanese new regulations on skyscrapers, where to got permission to build, builder required to create special account, on which deposit full sum of money, to safely collapse building and return land to state it was before.

[simne]

And, when this medical computer was manufactured (from marks on case), I already have developer documentation on secure SIM card with integrated Java, so it was possible to totally eliminate all external drives, and make "over-the-air" upgrades via GSM network, enhanced with software security running on SIM, which I think much better way of security implementation, than limit USB to storage (which is not secure now).

[johnklos]

Honestly, medical security is more theater than real security. The people with marketing prowess sell crap for much, much more of a markup to the medical world than to most other industries, excepting perhaps military, and just like many other areas, marketing has much more of an influence than actual security.

Pretty much all of my experience in medical security to date has been playing games to paper over horribly insecure defaults that should never have been considered in the first place. Companies would rather things that are known to be insecure that others are using, so everyone is in the same boat, so to speak, than to choose something demonstrably more secure that nobody else is using.

In other words, learn about marketing, marketing forces, and securing things after the fact.

[mriguy]

Lot of what you say rings true. I am involved in a project right now where the team members are trying to do the right thing from a development point of view. However the bureaucracy of centralized information security folks and paperwork based approach of the quality and regulatory folks makes it painful. Hence reaching out to this forum to see if anyone has a good experience of doing it right.

[borissk]

Don't think medical devices are in any way unique. Same cybersecurity principles and practices apply to them as to any IoT device.

[mriguy]

Good point. Some of the uniqueness is because some of these devices have been developed before considering connectivity, and in many cases, the network features are "bolted on". Are there any good best practices documentation regarding IoT device security, especially when considering regulatory filings or compliance requirements.

[mikewarot]

Please remember that availability is part of security. If the company that makes the device folds, or just decides to stop supporting it, it should remain available, perhaps even a decade or more later. We should never have people with implanted devices that are otherwise functional, because of a lack of software support.

[thesimpleone]

There’s a lot of compliance rules for these types of devices.