After sending a new medical device to the public market, there are still cybersecurity concerns that manufacturers need to address. Products tend to have vulnerabilities that arise throughout their lifecycle due to compromised dependencies, insecure changes, or new techniques being utilized by hackers. As part of being responsible for cybersecurity concerns in these devices, manufacturers must have a plan to address postmarket threats. Aside from doing it for security’s sake, it is a requirement by the FDA for market submissions.
Routine Maintenance
A major part of software development is the routine maintenance of completed products. A product will rarely be released with no need for changes in the future. The reason for these changes can be varied; commonly, though, developers may look to add functionality, improve design, and, of course, improve security. These changes will usually be made fairly consistently, ranging from every few weeks to every few months, depending on the product.
Routine patch cycles are usually done to address general concerns and milder vulnerabilities. When a vulnerability is not deemed to have a severe impact, it may not require the same urgency and attention as an extremely dangerous vulnerability. These flaws should not be left too long, but accommodating them into a standard development cycle can be acceptable. Building this cycle and having a system to differentiate between critical and less severe flaws is a crucial step in the development process.
To gauge the severity of a vulnerability, using a tool designed for such purposes, such as the Common Vulnerability Scoring System (CVSS) framework, can be helpful. This allows teams to weigh the risk of a vulnerability on the network and see how dangerous it can be. It also helps to use a standardized methodology when performing this analysis so that results are easily traceable and understandable to interested parties.
It can be a good idea to consult a security specialist’s services to help understand the impact of vulnerabilities. Many vulnerabilities may seem insignificant but can be combined or escalated to have a major impact. Routine security testing of medical devices helps to learn just how problematic a flaw is. Performing this testing also helps to uncover vulnerabilities that may have been missed internally.
Emergency Patching
In some events, emergency patching may be needed. This is typically when a massive flaw is discovered with a potentially devastating impact on the device. Like rating less severe vulnerabilities, a framework such as CVSS can be used to understand what is at stake. If the vulnerability is deemed of high or critical severity, it should be addressed immediately.
When vulnerabilities are discovered by one party, there is a possibility that another party can figure it out as well. If that party was malicious, they could be silently exploiting devices through this dangerous 0-day flaw. Even when an advisory has been published, attackers will try to hunt down machines running old versions of software that can be exploited. Because of this, it is important to release patches for severe vulnerabilities in a timely and efficient manner.
Users of the product also need to be informed about the event and the steps they can take to mitigate the vulnerability. They should be told about the emergency patch, how to get it properly installed, and why it is important to do so immediately. Especially with medical devices, the time it takes to get a functional patch released and installed on customer devices is critical. The longer these devices remain insecure, the higher the odds of being compromised by a threat actor.
Sometimes, an emergency patch will take some time to release or may not be possible in the current situation. In this case, manufacturers must develop a plan to mitigate the vulnerability through other means. If a certain aspect of the device has a critical vulnerability, manufacturers may wish to put out an advisory recommending administrators disable that aspect while a patch is developed. These fixes should usually be viewed as temporary solutions, not permanent fixes.
Consult Blue Goat Cyber For Your Medical Device Security Needs
Blue Goat can help your team through pre- and post-market processes to secure your medical device. We can help you navigate the latest FDA requirements and get your device safely and quickly to market. Contact us to schedule a discovery session.