Reducing cybersecurity risks to medical devices is essential. Regulators like the US Food and Drug Administration (FDA) have made improving medical device security a critical focus in recent years.
This means many in the medical device manufacturing community are now rethinking how the software components of their products are secured throughout their product lifecycles.
For many years, it was common practice to develop embedded systems and “freeze” the software, effectively never touching it after release unless absolutely necessary for critical updates.
But while the embedded system software might be frozen, the world around it certainly is not.
The number of vulnerabilities disclosed in IT products of all types has skyrocketed in recent years. Confirmed exploits and breaches have likewise mounted. And the fact that medical devices are increasingly connected to networks, for remote monitoring, operation and management, means that these devices are no longer isolated and safe because of “air gapping.”
As the threat environment has heightened, regulators have stepped in to scrutinize the security practices of medical device manufacturers to make sure they are adequate.
The FDA’s Premarket and Postmarket guidance for medical device cybersecurity lays out baseline recommendations for ensuring medical products are more secure when they are released and maintain stronger security during deployment.
Security Before and After Product Release
The FDA notes that device security is a shared responsibility among many in the health care sector, including “health care facilities, patients, providers, and manufacturers of medical devices.”
In essence, the FDA guidance recommends that medical device developers design products with security as a central focus from the start. That includes identifying the potential impact of vulnerabilities on device function and assessing what that means for patients and users.
It also calls for manufacturers to identify and assess the risk of vulnerability exploits based on how the product will be used in deployment. The end result should be a device with a stronger security posture and reduced risk of a negative impact on patients and users.
Once a product has been released, the FDA guidance recommends that manufacturers monitor vulnerability information sources, including tracking vulnerabilities that may affect third-party components that are integrated into a medical device. Manufacturers should establish a consistent process for postmarket surveillance of security issues. That requires tracking and assessing vulnerabilities and responding with upgrades and patches for devices in deployment before exploits take place.
The postmarket security maintenance stage is especially critical for products that incorporate Software of Unknown Provenance (SOUP). Most vendors are diligent about pushing out critical updates for their own proprietary software. But the FDA cautions that manufacturers should be especially wary of third-party software that is integrated into medical devices. It may not always be clear when a component is exposed to a vulnerability or when a patch is available. This has major implications for embedded open source cybersecurity.
Timesys Vigiles: FDA Security Guidance Compliance Made Easy
Timesys Vigiles is a Software Composition Analysis (SCA) and Linux/open source software vulnerability monitoring tool for embedded system security. Vigiles offers multiple security maintenance features that simplify compliance with the FDA’s cybersecurity guidance for medical devices.
In its latest release, Vigiles includes automatic generation of a Software Bill of Materials (SBOM) for embedded devices built using Yocto, Buildroot, and Timesys Factory Linux. It also allows the uploading and management of your SBOM.
Vigiles is the industry’s only vulnerability notifier and security maintenance service optimized for embedded systems. Your products will be more secure at release and stay more secure throughout their lifecycles when you use Vigiles.
Our medical device manufacturer customers use Vigiles as the centerpiece of their design and maintenance processes to comply with FDA cybersecurity guidance for medical devices.
Timesys provides solutions to the Top 30 medical device makers, helping them build FDA Class I, II, and III devices for a wide range of medical applications, including diagnostic devices, monitors, therapeutic devices, diagnostic systems, robotically-assisted surgical (RAS) devices and biosciences tools.
Timesys’ Software Engineering Services team excels in addressing remote access, networked device security, secure over-the-air (OTA) updates, device hardening, and system integration — from the BSP to the App and UI. We are the market’s go-to partner of choice for embedded Linux security.
Secure by Design: Vulnerability Visibility
As you develop your products, Vigiles continuously monitors multiple vulnerability feeds including the National Vulnerability Database NVD for better coverage across all vulnerabilities affecting your products. For example, Vigiles continually monitors the hundreds of notifications of Common Vulnerabilities and Exposures (CVEs) reported in the NVD database, pinpointing those that apply to your products’ open source software.
This includes CVE monitoring for Linux and open source packages and libraries, directly addressing one of the chief concerns in the FDA’s medical device cybersecurity guidance. Vigiles’ Linux kernel configuration and U-Boot configuration tracking filters out vulnerabilities that affect features not used in your product, significantly improving triage efficiency.
Among the features available in Vigiles is patch monitoring and notification that enables you to locate and apply updates and patches to Linux and open source components used in your products.
Now your software incorporates the latest, most secure versions third-party software, a major step in meeting FDA requirements.
Timesys also offers proven, expert guidance on Secure by Design best practices including embedded Linux secure boot and encrypted data storage as well has embedded Linux hardening and chain of trust configuration.
Even if your medical device is not handling patient data directly, Timesys’ solutions cut the chance that a breach would put other systems that handle such data at risk. Our solutions help your customers avoid privacy breaches of Protected Health Information (PHI) of the sort identified under HIPAA and other regulations.
Staying Secure: FDA-Aligned Security Maintenance
When products are released and deployed, ongoing security maintenance is essential for complying with the FDA’s Postmarket guidance for medical device cybersecurity.
Vigiles constantly takes in data from vulnerability reporting sources and compares vulnerability notifications to your SBOM, serving as a vulnerability monitoring feed to enable you to understand how vulnerabilities apply to your products across all versions and branches.
Our curated service provides a 40% accuracy improvement over NVD data alone, which means your team will waste far less time chasing “Vulnerability Ghosts” and false positives. If Vigiles reports an embedded device CVE affecting your products, you can have confidence the CVE is real and current, and your team’s efforts will be focused on issues that really matter.
Vigiles also gives you expedited notification of newly reported vulnerabilities before they are officially published in the NVD. This gives you an all-important window of time to mitigate vulnerabilities before they are widely publicized and before the hacking community has developed exploits to take advantage of vulnerabilities.
In total, Vigiles’ security vulnerability alerts and CVE notifier service will go a long way toward improving your embedded device security in line with FDA guidance for medical devices.
Get Started Now for Free
Vigiles reduces work cycles spent analyzing and addressing vulnerabilities by 90 percent or more.
Vigiles is available in three versions including Vigiles Prime, a version that enables you to start vulnerability monitoring of your product SBOM today with a 30-day free trial. More advanced commercially supported versions of Vigiles include SBOM (Software Bill of Materials) management and generation, patch monitoring, suggested mitigations for vulnerabilities, collaboration features helpful to distributed software engineering and product security teams, and advanced vulnerability triage tools.
Click here to get started today.
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.
