New IEEE Guidance on Medical Device Security

Register now

IEEE, a professional association of engineers in multiple industries including healthcare, has issued guidance to help software developers establish a baseline of security for software development and implementation of medical devices.

The goal is to reduce or eliminate security vulnerabilities that could enable unauthorized persons to access the devices. “Most exploited vulnerabilities are due to accidental implementation errors that can be avoided or significantly reduced through the use of specific programming languages and automated tools for checking software,” according to an IEEE announcement.

And that is the starting point for this first iteration of guidance—to rule out the most common vulnerabilities during the implementation phase, says Carl Landwehr, co-author of the guidance and a research scientist at the Cyber Security Policy and Research Institute at George Washington University.

Also See: Interoperable Medical Device Safety Standards Making Headway

The guidance covers a range of coding elements intended to avoid/detect/remove specific vulnerabilities, assure proper use of cryptography, assure software and firmware integrity, impede attacker analysis or exploitation, and enable detection and attribution of an attack, among other functions.

For instance, when updating validation of firmware and software, developer resources required include a signing key and protection for the key, and to compute and store digital signatures for the updates produced.

The guidance, “Building Code for Medical Device Software Security,” is available here.

For reprint and licensing requests for this article, click here.