Building Code for Medical Device Software Security

Earlier this month I published a Post on, “The Importance of Cyber Security in Telemedicine”, highlighting the importance of security for medical devices that can be hacked. Almost as if on cue, or more likely the result of lucky timing, on May 21, 2015, the IEEE Cybersecurity Initiative (www.cybersecurity.ieee.org) published, “Building Code for Medical Device Software Security”, authored by Tom Haigh and Carl Landwehr.

The paper is the result of a two-day workshop in November 2014, attended by 40 volunteers from the fields of cyber security, computer programming, and medical devices, among others. The workshop was sponsored by the IEEE Cybersecurity Initiative and the National Science Foundation.

Recognizing that medical devices are vulnerable to malicious attacks that can alter the operation of a device, or steal sensitive data, the building code is intended to reduce the risk of such attacks. While the code cannot protect medical devices against every imaginable attack, the authors hope that it will establish a reasonable model code for the industry to apply.

As a lawyer with a responsibility to reduce potential liability for my clients, I will note that the building code does not carry the weight of a law or legal requirement. Along these lines, the FDA has also issued “guidance” on cybersecurity for medical devices. (http://1.usa.gov/1FROdcZ) As more and more medical devices depend on technology that is susceptible of being hacked, manufacturers should stay abreast of attempts to develop industry standards. If a medical device is hacked, and sensitive data is leaked, or a patient is injured because the device is hacked, a smart plaintiff’s attorney will ask if the device implemented security measures in compliance with the building code, or other similar industry statements addressing security. While this is still a developing field, and there are no required security standards for all medical devices, a sound practice seems to be the consideration of security during the development phase of medical devices dependent on hackable technology.

Written by: Richard Sheinis, Esq.