Innovation and collaborative, synchronized program management for new programs
It is vital that medical device developers consider security as part of the designs of their products. There are a number of issues to consider:
Regulators worldwide are putting more emphasis on security for medical devices every year. Security requirements need to have the same level of care and consideration applied to them as the functional and safety requirements.
Siemens Embedded has the products, services and experience to help medical device developers succeed in developing their products quickly, safely, and securely. Siemens Embedded also has the expertise to help these developers satisfy reviewers and regulators, which means that Siemens Embedded’s products minimize risk and help to satisfy these demanding requirements-s.
It is vital that medical device developers consider security as part of the designs of their products. There are a number of issues to consider:
Regulators worldwide are putting more emphasis on security for medical devices every year. Security requirements need to have the same level of care and consideration applied to them as the functional and safety requirements.
Siemens Embedded has the products, services and experience to help medical device developers succeed in developing their products quickly, safely, and securely. Siemens Embedded also has the expertise to help these developers satisfy reviewers and regulators, which means that Siemens Embedded’s products minimize risk and help to satisfy these demanding requirements-s.
Siemens delivers embedded software solutions that enable device manufacturers to quickly design and build high quality connected devices, including those with rich user interfaces, cloud-based remote management, or requiring safety certification. Base technologies include Linux, the Nucleus real-time operating system, advanced multicore runtime and IoT enablement and development tools.
The CVE (Common Vulnerabilities and Exposures) process is the main method of exposing security vulnerabilities which are generally a result of issues in software. With the ubiquity of open-source (especially Linux and popular packages such as OpenSSL or SQLite) in medical devices, many of these vulnerabilities potentially affect these devices, but CVEs can exist anywhere and several have been filed against proprietary software as well. CVE monitoring is a process where new CVEs are evaluated against the modules in the device, allowing the manufacturer to determine appropriate action when new vulnerabilities are discovered. Regulatory bodies are insisting on a strategy of managing CVEs both pre and post release to satisfy security requirements for medical devices. While a manufacturer can perform these activities themselves, it is simpler to use a commercial distribution of this software, such as Siemens Embedded Linux products, and Nucleus RTOS.
The FDA publishes guidance that touches on the security aspects of software in Medical Devices; the two most important of which are the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”, and “Post-market Management of Cybersecurity in Medical Devices”. The documents cover the expectations placed on device manufacturers to keep the device and the data it is handling secure. The FDA also provides guidance for the use of Commercial Off-The-Shelf (COTS) software which touches on the security of the device by placing requirements on the COTS that might be used. In all cases, the FDA requires a risk-based approach, where risks are assessed, and if significant (based on the class of the device), then the risk is required to be mitigated. Siemens Embedded has significant experience in products and services to help customers mitigate software risk, and to pass regulatory approval.
It is well known that it is vital in all aspects of medicine to protect private patient data from those that are not authorized to access it. Laws such as HIPAA (Health Insurance Portability and Accountability Act) in the United States and the GDPR (General Data Protection Regulation) in Europe make these rules clear. These regulations apply equally to medical devices; when considering this in design, it is important not only to protect this data through expected operation of the device, but to protect it from security threats both known and unknown at the time of manufacture. Siemens Embedded can help customers fulfill privacy requirements both in terms of the design of the device’s security features, and in protecting the device from newly found exploits that could impact customers and patients in the future.
This is a summary of key elements of the Security Rule
How to respond to the ever changing device security threat landscape facing embedded devices.
Common Vulnerabilities and Exposures Database