Founder, Blue Goat Cyber | MedTech Cybersecurity Leader | Speaker & Author | 24x Ironman | Securing Innovation & Patient Safety.
Secure by design didn’t just pop up in the medical device industry with the update to the Food & Drug Administration (FDA) guidance on cybersecurity recommendations. However, its inclusion in this means the agency believes it to be the best approach to security.
If a design has attributes that align with the secure-by-design approach, it sets the foundation for the device’s entire life cycle. The specific standards the FDA says should be included are the National Institute of Standards and Technology’s (NIST’s) Federal Information Product Standards (FIPS 140-2 and 140-3), the Cybersecurity and Infrastructure Security Agency (CISA) cybersecurity guidelines and industry-standard routing requirements.
So, beyond the standards and frameworks, how do secure-by-design initiatives become practical, repeatable and scalable?
Secure-By-Design Tenets
Secure by design describes a strategy prioritizing security considerations for the software development life cycle. With this philosophy, security takes a seat at the table from the start. It’s not an afterthought or a perceived obstacle. The goal is for a more reliable and resilient system that starts with identifying and mitigating risks related to cybersecurity.
CISA provides a Secure-by-Design initiative. It has three tenets from which the recommendations come. Those developing software must:
1. Own the outcomes of customer security.
2. Adhere to security-related transparency and accountability.
3. Lead from the top.
CISA also offers seven goals for software:
1. Incorporating multifactor authentication (MFA)
2. Reducing default passwords
3. Decreasing classes of vulnerabilities
4. Improving security patching
5. Creating a vulnerability disclosure policy
6. Providing accurate common weakness enumeration (CWE) and common platform enumeration (CPE) for common vulnerabilities and exposures (CVE)
7. Gathering evidence of instructions that could impact the device
All these things have been in the plans and lexicon of the medical device industry. Many of these align with the overall recommendations from the FDA. For example, premarket submissions for products should have a plan for patching once it’s in the field.
What’s new in this landscape is moving from secure by design to cybersecure by design.
What Is Cybersecure By Design?
Secure by design is a great foundation for software development. But medical devices are unique products. They connect to the internet, which increases risk. They’re also used across networks, as some devices are on the patient’s person. Another difference is that these devices could, if hacked, actually cause physical harm. For those reasons and the fact that they have long been a target of cybercriminals, cybersecure by design must replace secure by design.
Cybersecure by design describes building on the secure-by-design framework, emphasizing visibility, monitoring and segmenting traffic and controlling lateral movement across zones. All these characteristics point toward breach prevention and readiness that focuses on the impact of a cyberattack on communications, assets and patient safety.
What Happens Without A Commitment To Cybersecure By Design?
Medical device manufacturers are under intense pressure on the security side of the business. They want to follow FDA guidance and ensure they have a premarket submission that checks all the boxes. Except that’s kind of the issue—checking boxes versus cybersecurity diligence.
Why does this happen? There are a lot of reasons, and most aren’t nefarious. Manufacturers may not always have the most knowledge or expertise in cybersecurity. They may also have let their own processes and policies become stale.
The problem that the industry faces when not being in sync with the cybersecure-by-design framework can lead to several things:
• The FDA could reject their premarket submission. This puts the product road map on hold and can be costly.
• The device goes to market with hidden vulnerabilities. This means that it’s exploitable.
• A breach or other attack could occur. This is the worst-case scenario.
• Issues like unreliability and unavailability can arise. After the device is in use, an attack isn’t the only worry. Without proper updates, it could become unavailable.
How To Transition To Cybersecure By Design
How do you get from secure by design to cybersecure by design? It’s not a giant leap. Development should still involve all secure-by-design tenets. Cybersecure by design simply expands on these.
Take these steps to shift:
• Use penetration testing to understand the true impact of an attack instead of only using threat modeling or what-if scenarios.
• Ensure the software bill of materials (SBOM) has no gaps or inaccuracies, and continue to update it as the device evolves.
• Remove any legacy components at the start, including code, software or APIs.
• Include endpoint security testing as part of interoperability scoping.
• Add zero-trust agents to manage any data exhaust from devices that are continuously streaming telemetry.
• Work in partnership with stakeholders across the industry to continue to fortify cybersecurity best practices and offensive strategies.
A cybersecure-by-design mindset should permeate a medical device manufacturer’s environment. It’s not restrictive. Instead, it can parallel innovation, bringing safe, secure devices to market that help patients.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
