The CVE (Common Vulnerabilities and Exposures) process is the main method of making available information-security vulnerabilities that are, almost entirely, a result of issues in software. With the ubiquity of open-source (especially Linux and popular add-on packages such as OpenSSL or SQLite) in medical device software, many of these vulnerabilities potentially affect these devices, but CVEs can be filed against any vulnerability and several have been filed against proprietary software as well. CVE monitoring is a process where new CVEs are evaluated against the modules in the device, allowing the device manufacturer to determine appropriate action when new CVEs are found. Regulatory bodies, including the FDA, are insisting on a strategy of managing CVEs both pre and post-release to satisfy security requirements for medical devices. While a manufacturer can perform these activities themselves, it is simpler and easier if you use a commercial distribution of this software, such as Sokol Flex OS, Sokol Omni OS, and Nucleus RTOS.

It is well known that it is vital in all aspects of medicine to protect private patient data from those that are not authorized to access it. Laws such as HIPAA (Health Insurance Portability and Accountability Act) in the United States and the GDPR (General Data Protection Regulation) in Europe make these rules clear. These regulations apply equally to medical devices; when considering this in design, it is important not only to protect this data through the expected operation of the device but to protect it from security threats both known and unknown at the time of manufacture. Siemens Embedded can help customers fulfill privacy requirements both in terms of the design of the device’s security features and in protecting the device from newly found exploits that could impact customers and patients in the future.