Episode 8 · November 26, 2024 · 28m listen · 2,593 words · ~13 min read
Building Resilient Medical Devices: A Look at the Essential Technologies and Infrastructure | Ep. 4 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 8 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of The Med Device Cyber Podcast, the hosts delve into the critical security considerations that should be integrated during the design phase of medical devices. They argue that addressing cybersecurity early in the development lifecycle—a 'shift-left' approach—is far more effective and cost-efficient than attempting to add it on later. The discussion is framed around the security controls and areas of concern highlighted by regulatory bodies like the FDA, emphasizing that these are not merely best practices but essential requirements for market approval and patient safety.
The hosts begin by differentiating between functional and non-functional requirements, categorizing cybersecurity as a crucial non-functional requirement that defines *how* a system should operate securely, rather than *what* it should do. They then systematically break down the key security control categories recommended by the FDA. The conversation covers Authentication, which is about verifying a user's identity through methods like passwords, multi-factor authentication (MFA), and biometrics. They distinguish this from Authorization, which dictates what an authenticated user is permitted to do, stressing the importance of role-based access control. The discussion moves to Cryptography, explaining the need to protect data both 'at rest' (stored on the device) and 'in transit' (communicated over a network) through robust encryption. They also touch upon Code, Data, and Execution Integrity, which involves ensuring that the device's software and data have not been tampered with, often achieved through techniques like secure boot and checksums. Finally, they cover the importance of Resilience and Recovery, designing devices to withstand attacks and recover to a known good state, and the necessity of secure Firmware and Software Updates, which, while convenient, can introduce significant vulnerabilities if the update mechanism itself is not properly secured.
Key takeaways from this episode
Cybersecurity should be integrated from the very beginning of the medical device design phase, not as an afterthought, to prevent costly and complex remediation later.
Understanding the difference between functional and non-functional requirements is key; cybersecurity is a critical non-functional requirement that dictates how securely a device must operate.
Authentication (proving who you are) and Authorization (what you are allowed to do) are distinct but related concepts, both essential for controlling access to device functions and data.
Cryptography is crucial for protecting sensitive patient data, both when it is stored on the device (at rest) and when it is being transmitted (in transit).
Code and data integrity verification, often through mechanisms like secure boot and checksums, ensures that the device is running authentic, untampered software.
Devices must be designed for resilience to withstand cyber attacks and have a clear recovery plan to return to a safe, operational state after an incident.
While remote firmware and software updates offer convenience, the update mechanism itself can be a major attack vector and must be thoroughly secured.
The FDA outlines specific categories of security controls—including authentication, authorization, and cryptography—that manufacturers must address to ensure device safety and efficacy.
Full episode transcript
Page 1 of 4· Paragraphs 1 - 21
Host: Hey there, welcome back. Today we're going to be talking about security considerations as part of the design phase of device and what can be done to prevent vulnerabilities from popping up further right in the development process and looking at some of the big considerations as far as the areas that should be covered by security in the eyes of the regulatory bodies such as the FDA.
Guest: All right. Sounds pretty serious stuff.
Host: Oh yeah. Yeah, when we're looking at these medical devices and the impact of breaching them, it can get pretty serious.
Guest: All right, and where do these um controls come from? You're talking about, we're going to cover. Are these standard best practices or like where where do they come from?
Host: These controls are partially going to be standard best practices um industrywide. And they're also going to come, we're going to look at the FDA's requirements since that's what we have the most experience dealing with and what we see the most and what the FDA sees as the most important areas to address cyber security.
Guest: Okay. Awesome.
So I think one of those requirements is authentication. Is that correct?
Host: Yeah, and how we're getting to the controls around these requirements. So I want to talk a little bit about a requirement in a device period.
Guest: There can be a- It's a good place to start. We should back up a little bit and talk about that, yeah. Yeah. All right, go ahead, sorry.
Host: There's going to be the functional requirement in a device. So, if I have my cell phone right here, a functional requirement is put a password in place to log into the phone.
Now, the non-functional requirement there might be how is that password protected? Is it just stored in plain text somewhere in the phone where if someone gets in, they can just read it. Is it hashed in some way? Is it stored up in the cloud? Is there an authentication manager? The non-functional requirements are sort of where it can get a little bit murky and where security really needs to be looked at.
So for each of these items, they are typically going to be the non-functional requirements that we're looking at more. And for each of the functional requirements, we need-
Guest: This is kind of like cyber security as a whole. Isn't cyber security as a whole like a non-functional requirement typically?
Host: Pretty much. Uh a lot of people see cyber security as a necessary evil. It's that one thing you have to do once a year to make sure that you're able to keep selling your product, which is often a hard way to think about it since that means you're often not addressing security at the very beginning and often making it a little bit harder on yourself later down the line.
Guest: So that's- What what does that mean necessary evil? I'm just think I I heard that term a lot with cyber security. I'm thinking like, like what else is a necessary evil in life? Is it just cyber security or is there something else?
Host: I think... I mean, great example, like going to the dentist every year. I have I want to make sure that my teeth look pretty nice, but I don't necessarily like driving all the way down to Phoenix every time I have to go to the dentist. And so that's not always something I'm excited for to wake up and do that. I'm not excited for a $3,000 bill at the end of the day for going to the dentist either. But
Guest: I guess it is a necessary evil. Yeah. Yeah. And I went to the dentist once and they messed up drilling my teeth and I haven't been back. I almost passed out, it hurt so badly. I was trying to like just deal with it because they were drilling out to put a cap on or whatever, and a crown on, I think it's called. And they forgot to put the right novocaine or whatever, those injections. I was just trying to handle it out, handle it, but I tears started coming down my eyes the pain was so bad, so I haven't been back to the dentist since. So it definitely was evil, for sure. I can Yeah.
Host: Well, you definitely should go to the dentist, so that's a whole other conversation.
Guest: I brush my teeth and floss 'em, you know. Why do I need to go to the dentist?
Host: I brush my teeth and floss 'em every day still. I have great teeth, but last time I went, I had to get some work done, so.
Guest: Okay, all right. You should go to the dentist. All right, so that's another necessary evil, it's like cyber security.