19 Jul 2019

Safely Test and Deploy Connected Products

In our previous post, we explored the regulatory requirements for cyber security in connected medical devices.  But, how does one start to address this and meet the emerging requirements?  That can be a complex question to answer but we will try to simplify it as a basic three phased approach:

1. Plan for and design the right security functions

The standards and regulatory guidance present many clear and well-defined security functions that should be present in most medical devices.  For example, the standards and guidance call for security functions related to authentication, remote communications, software patching, and secure configuration (to name a few).  These functions should all be considered in the design of a medical device but not all products will require that all of these functions to be implemented.  Risk management plays a significant role when determining what security functions may or may not be required; external controls might already be in place to protect against perceived threats or risks may be significantly reduced based on the intended environment of a particular device.  Key in the risk management process is a well-documented method for the review and assessment of the concerns.

Risk management is not a new concept to those familiar with the development of a medical device, however, in connected devices the risk takes on new dimensions.  Cyber risks include but are not limited to the concerns of patient harm. Other cyber-risks, such as unauthorized access to internal networks, require careful consideration. The cyber security risk management, ideally, should be conducted in parallel to the safety risk management process and should address areas including but not limited to reduction of effectiveness and impacts to clinical operations.  

2. Test the Security

Once a design is decided upon and the required security functions have been implemented, it is time to conduct the security testing.  Security testing should include a vulnerability assessment and penetration testing of the medical device, including in the scope all external interfaces as well as a review for known weaknesses.  In order to ensure the effectiveness of the security testing, it should be conducted by a team that is independent of the developers and has a depth of knowledge of the test tools and techniques being employed as well as the devices being tested.  While off the shelf tools are indispensable in security assessments, custom devices and applications require custom approaches to security testing. 

Vulnerabilities and security-relevant issues identified during testing need to be reviewed through a risk management process.  Based on the determined risk, appropriate mitigations are required and re-testing should be conducted to ensure the issues are resolved.

3. Mitigate and document certification and deployment efforts

With the first two phases complete, a device is ready to embark on the final steps to compliance with regulatory guidance and certification efforts.  Administrative and user documentation can be completed – ensuring that intended deployment environment is understood and that any security assumptions and configuration requirements are identified.  This documentation ensures that all of the effort that went into designing and developing a secure product is not wasted; users responsible for the administration and operation of the device have confidence that they are not exposed to unexpected risk due to obscure configuration settings or poorly understood environmental assumptions.  In addition, final security testing can be completed during this phase with a reasonable degree of certainty that any residual issues will not have major impacts to product design, something that could otherwise lead to long and costly re-work development cycles.

This three-phase approach is intended to focus efforts on critical areas of the device development process so that key design decisions can be made early.  Impacts can be minimized by ensuring all of the necessary security features are thought of from the early planning stage.  Designs created with security in mind from the start lead to a robust security posture that is able to withstand new pressures as the ever-changing threat landscape evolves.

 

Wayne Steward,
IoT Director, Intertek-EWA Canada

During his 15 years with EWA Canada, Wayne has become an expert in many areas of the cyber security domain, including intrusion detection, cryptography, vulnerability assessment, penetration testing, static code analysis, payment technologies, and product reviews.  Wayne now manages a team of over ten security specialists and penetration testers focused on securing network infrastructure, mobile and web applications, and connected products.