The CVE (Common Vulnerabilities and Exposures) process is the main method of exposing security vulnerabilities which are generally a result of issues in software. With the ubiquity of open-source (especially Linux and popular packages such as OpenSSL or SQLite) in medical devices, many of these vulnerabilities potentially affect these devices, but CVEs can exist anywhere and several have been filed against proprietary software as well. CVE monitoring is a process where new CVEs are evaluated against the modules in the device, allowing the manufacturer to determine appropriate action when new vulnerabilities are discovered. Regulatory bodies are insisting on a strategy of managing CVEs both pre and post release to satisfy security requirements for medical devices. While a manufacturer can perform these activities themselves, it is simpler to use a commercial distribution of this software, such as Siemens Embedded Linux products, and Nucleus RTOS.

It is well known that it is vital in all aspects of medicine to protect private patient data from those that are not authorized to access it. Laws such as HIPAA (Health Insurance Portability and Accountability Act) in the United States and the GDPR (General Data Protection Regulation) in Europe make these rules clear. These regulations apply equally to medical devices; when considering this in design, it is important not only to protect this data through expected operation of the device, but to protect it from security threats both known and unknown at the time of manufacture. Siemens Embedded can help customers fulfill privacy requirements both in terms of the design of the device’s security features, and in protecting the device from newly found exploits that could impact customers and patients in the future.