Ten Ways to Build Secure Software Code For Medical Devices

The IEEE Cybersecurity Initiative issues guidelines to reduce attacks

18 June 2015

Photo: iStockphoto

Hackers are constantly on the hunt for any software flaws they can exploit, so it’s no surprise they’ve turned their attention to medical devices. Because today’s medical devices and equipment support a variety of ways to communicate such as Wi-Fi and Bluetooth, their software can be vulnerable to attack.

For example, the U.S. Federal Drug Administration issued a safety communication in May about security vulnerabilities found in two computerized drug infusion pumps designed for the continuous delivery of anesthetic or therapeutic drugs. If exploited, according to the FDA, the vulnerability could allow an unauthorized user to interfere with the pump’s functioning and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies.

In “Hacking Hearts” we wrote about several members of a three-university research team that showed how implanted defibrillators—which use electrical shocks to jump-start arrhythmic hearts so that they return to beating normally—were vulnerable to hacking.

Aware of the security threats facing medical devices, the IEEE Cybersecurity Initiative recently released guidelines to help manufacturers avoid or reduce cybersecurity threats. The “Building Code for Medical Device Software Security” establishes a secure baseline for software development and production practice for medical devices. It covers software that runs on a variety of devices including implants, wearables, and large-scale diagnostic machines like MRI systems. A group of 40 volunteers with varying backgrounds in cybersecurity, programming languages, software engineering, medical device development, medical device standards, and medical device regulation worked to create the 10 so-called elements and structure of the code. They liken the medical code to building codes that were developed over centuries to guide the production of physical buildings. 

Most elements of the medical building code pertain to the implementation phase, which the experts believe is the main source of software errors and vulnerability.

Affiliate Member Tom Haigh and IEEE Fellow Carl Landwehr authored the report. Haigh is an associate professor at the University of Wisconsin’s School of Information Studies, in Milwaukee. Landwehr is a research scientist with the Cyber Security Policy and Research Institute at George Washington University, in Washington, D.C.

“This is just a starting point that developers can use to rule out the most commonly exploited classes of software vulnerabilities during the implementation phase,” said Landweher in a news release about the code. “There is more work to do, so we encourage the industry to participate in our effort to create a foundation for a more complete code for the medical device industry to apply.”

Learn More