With standards, regulations, statutes, etc., many feel this is a speedbump for their product. In the interest of the field, industry patient safety, and security these are a great idea. Without these in place, medical device cybersecurity could become like the Weld West with every entity doing their own thing, not following any guidance.
The FDA has recognized three new standards focused on medical
device software security. These cover the total product lifecycle of medical
device cybersecurity, data logging, software use, and reasonable software
testing.
The first noted standard was ANSI/AAMI 2700-2-1. This
standard is focused on medical device software’s safe usage in the integrated
clinical environment (ICE). The specific usage is for data loggers to
appropriately collect data in these systems. This includes the recording, data,
storage, and playback for the data. The data usage would be for safety, quality
assurance, and forensic analysis.
The second standard was ANSI/AAMI SW96:2023, which provides
guidance on methods to manage security risks. Medical devices present a unique
security risk. The standard addresses several security areas to identify
threats and vulnerabilities and the controls to put in place to mitigate these.
Lastly ISO IEC IEEE 29119-1 provides guidance on germane
topics in the field including software.
These standards provide additional guidance and a framework
to further the safety and security for the products. By adding these into our
security tools, the attack surface is decreasing, and potential attacks are
mitigated.
Enterprise and Embedded System Cybersecurity Engineering & Architecture
Red Team Product Pentesting | HW & SW BoMs | CBoM |
Vulnerability Management | Tabletop Exercises (TTX) |
Embedded Systems Architecture | Threat Intelligence |
TARA (Threat Assessment and Remediation Analysis) |
Supply Chain Cybersecurity Review
Reverse Engineering
charles.parker@mielcybersecurity.net 810-701-5511
No comments:
Post a Comment