What are some good resources to understand medical device cybersecurity?

Question

Medical device cybersecurity has become a significant area of focus for the FDA. Starting Oct 1, 2023, the FDA will issue a 'Refuse To Accept' letters to 510K submissions that do not comply with the amended Section 524B of the FD&C Act.Most of the online resources related to medical device cybersecurity are from companies selling solutions.Are there examples of high-quality independent blogs, resources for medical device professionals to refer to educate themselves?

borissk · Accepted Answer

Don't think medical devices are in any way unique. Same cybersecurity principles and practices apply to them as to any IoT device.

johnklos · Answer

Honestly, medical security is more theater than real security. The people with marketing prowess sell crap for much, much more of a markup to the medical world than to most other industries, excepting perhaps military, and just like many other areas, marketing has much more of an influence than actual security.
Pretty much all of my experience in medical security to date has been playing games to paper over horribly insecure defaults that should never have been considered in the first place. Companies would rather things that are known to be insecure that others are using, so everyone is in the same boat, so to speak, than to choose something demonstrably more secure that nobody else is using.
In other words, learn about marketing, marketing forces, and securing things after the fact.

gmassman · Answer

Use best IoT practices. Treat a medical device like any new product whose data you want to remain secure. On the device itself, ensure your firmware is inaccessible to curious hackers. Most MCUs provide read back protection so enable it! Ensure OTA updates are encrypted and signed, and only verified bootloaders can decrypt and install firmware. All network communications should be encrypted too; use HTTPS or similar protocols and treat your device certs like you treat your firmware.
On the backend, use web API security best practices. This means only allow API access to authorized devices and/or users. Keep your database secure. There’s tons of resources out there about how to build a secure backend.
Cybersecurity isn’t nearly as complicated as marketers and would-be consultants paint it out to be. Granted, programs are complicated (firmware especially), so invest heavily in good testing to catch insecure code before they manifest into issues.
As far as the FDA is concerned, document everything, probably more that you think is necessary. Write up a clear set of requirements, verification and validation plans, and very thorough design documents. This benefits both them and any future team members that may need to work on the project.

mikewarot · Answer

Please remember that availability is part of security. If the company that makes the device folds, or just decides to stop supporting it, it should remain available, perhaps even a decade or more later. We should never have people with implanted devices that are otherwise functional, because of a lack of software support.