Innovation et gestion de programmes synchronisée et collaborative pour les nouveaux programmes
Security requirements need to have the same level of care and consideration applied to them as the functional and safety requirements. Security requirements are not only the right thing to do from a product standpoint, regulators worldwide are putting more emphasis on security concerns for medical devices with each passing year.
When considering the security requirements for your device, you should also consider the security expertise of your software suppliers, whether they are supplying proprietary software, open-source software or a combination thereof. Siemens Embedded Solutions has the products, services, knowhow and experience to help medical device developers succeed in developing their products quickly, safely, and securely. Siemens Embedded also has the expertise to help these developers satisfy reviewers and regulators, which means that Siemens Embedded’s products minimize risk and help to satisfy these demanding requirements.
Security requirements need to have the same level of care and consideration applied to them as the functional and safety requirements. Security requirements are not only the right thing to do from a product standpoint, regulators worldwide are putting more emphasis on security concerns for medical devices with each passing year.
When considering the security requirements for your device, you should also consider the security expertise of your software suppliers, whether they are supplying proprietary software, open-source software or a combination thereof. Siemens Embedded Solutions has the products, services, knowhow and experience to help medical device developers succeed in developing their products quickly, safely, and securely. Siemens Embedded also has the expertise to help these developers satisfy reviewers and regulators, which means that Siemens Embedded’s products minimize risk and help to satisfy these demanding requirements.
Siemens delivers embedded software products that enable device manufacturers to quickly design and build high quality connected devices, including those with rich user interfaces, cloud-based remote management, or requiring safety certification. Base technologies include Linux, the Nucleus real-time operating system, advanced multicore runtime, and IoT enablement and development tools.
The CVE (Common Vulnerabilities and Exposures) process is the main method of making available information-security vulnerabilities that are, almost entirely, a result of issues in software. With the ubiquity of open-source (especially Linux and popular add-on packages such as OpenSSL or SQLite) in medical device software, many of these vulnerabilities potentially affect these devices, but CVEs can be filed against any vulnerability and several have been filed against proprietary software as well. CVE monitoring is a process where new CVEs are evaluated against the modules in the device, allowing the device manufacturer to determine appropriate action when new CVEs are found. Regulatory bodies, including the FDA, are insisting on a strategy of managing CVEs both pre and post-release to satisfy security requirements for medical devices. While a manufacturer can perform these activities themselves, it is simpler and easier if you use a commercial distribution of this software, such as Sokol Flex OS, Sokol Omni OS, and Nucleus RTOS.
The FDA publishes significant guidance that touches on the security aspects of the software in Medical Devices; the two most important of which are the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”, and “Post-market Management of Cybersecurity in Medical Devices”. The documents cover the activities and expectations that the device manufacturer must consider both during the development of the device and after its release to keep the device and the data it is handling securely. The FDA also provides guidance for the use of Commercial-Off-The-Shelf (OTS) software in medical devices, which also touches on the security of the device by placing requirements on the OTS a developer might use on these devices. In all cases, the FDA requires a risk-based approach, where risks are assessed, and if the risk is significant (based on the class of the device), then is required to be mitigated for the software to be used. Mentor Embedded has significant experience in both product and service offerings to help customers mitigate the risk of the software used in their devices and pass regulatory approval.
It is well known that it is vital in all aspects of medicine to protect private patient data from those that are not authorized to access it. Laws such as HIPAA (Health Insurance Portability and Accountability Act) in the United States and the GDPR (General Data Protection Regulation) in Europe make these rules clear. These regulations apply equally to medical devices; when considering this in design, it is important not only to protect this data through the expected operation of the device but to protect it from security threats both known and unknown at the time of manufacture. Siemens Embedded can help customers fulfill privacy requirements both in terms of the design of the device’s security features and in protecting the device from newly found exploits that could impact customers and patients in the future.