that could lead to harm. This activity
will help to gain insight into hazards
that affect integrity and availability of
˲Match the production lifecycles
of underlying software to the production lifecycles of the medical device. If
a component is known to have a limited lifetime, then the medical device
using that component runs the risk of
inheriting the limited lifetime.
Modern healthcare delivery depends
on medical device software to help patients lead more normal and healthy
lives. Medical device security problems are real, but the focus on hacking
goes only skin deep. Consequences of
diminished integrity and availability
caused by untargeted malware include
the inability to deliver timely and effective patient care. By addressing security and privacy risks at the concept
phase, medical devices can remain safe
and effective despite the cybersecurity
threats endemic to computing. Security of medical devices is more than just
a potential problem on the horizon.
1. alemzadeh, h. et al. analysis of safety-critical
computer failures in medical devices. IEEE Security
and Privacy (July–aug. 2013), 14–26, Co-published by
the Ieee Computer and reliability societies.
2. Fu, k. trustworthy medical device software. In Public
Health Effectiveness of the FDA 510(k) Clearance
Process: Measuring Postmarket Performance and
Other Select Topics: Workshop Report, Washington,
D.C., July 2011. Iom (Institute of medicine), national
3. kramer, D.b. et al. security and privacy qualities of
medical devices: an analysis of FDa postmarket
surveillance. PLoS ONE 7, 7 (July 2012).
4. talbot, D. Computer viruses are “rampant” on
medical devices in hospitals. MI T Technology Review
(oct. 17, 2012); http://www.technologyreview.com/
5. u.s. FDa. Content of premarket submissions for
management of cybersecurity in medical devices—
Draft guidance for industry and Food and Drug
administration staff (June 14, 2013); http://www.fda.
6. Weaver, C. Patients put at risk by computer viruses.
The Wall Street Journal (June 13, 2013); http://online.
Kevin Fu ( email@example.com) is an associate professor
in the Division of Computer science and engineering at the
university of michigan.
James Blum ( firstname.lastname@example.org) is an assistant
professor in the Department of anesthesiology with the
university of michigan health system.
this work was supported in part by nFs Cns-1331652
and hhs 90tr0003/01. any opinions, findings, and
conclusions expressed in this material are those of
the authors and do not necessarily reflect the views
of nsF or hhs.
Copyright held by author/owner(s).
The FDA recommends that manufacturers provide:
˲ A specific list of all cybersecurity
risks that were considered in the design of a device;
˲ A specific list and justification for
all cybersecurity controls that were established for a device;
˲ A traceability matrix that links actual cybersecurity controls to the cybersecurity risks that were considered;
˲ The systematic plan for providing validated updates and patches to
operating systems or medical device
software, as needed, to provide up-to-date protection and to address the
˲Appropriate documentation to
demonstrate that the device will be
provided to purchasers and users free
of malware; and
˲ Device instructions for use and
product specifications related to recommended anti-virus software and/
or firewall use appropriate for the environment of use, even when it is anticipated that users may use their own
virus protection software.
international Role of standards
and Clinical facilities
Standards bodies are taking actions
to improve medical device cybersecurity. For instance, the Association for
the Advancement of Medical Instrumentation (AAMI) recently formed a
working group on medical device security that includes engineers from
manufacturing and regulators. AAMI
has already released standards specific to network-related cybersecurity
risks (ANSI/AAMI/IEC-80001). International harmonization of cybersecurity guidance is likely on the horizon,
given that phrases such as “security
patches” appear in proposals from the
International Medical Device Regulators Forum.
Recommendations to improve
medical Device Cybersecurity
˲ Manufacturers should consider cybersecurity during the design phase of
the medical device. Security is difficult
to bolt on after the fact, and is most effective when designed in.
˲Incentivize user facilities (for
example, hospitals) to report security incidents and vulnerabilities
Technologies for Caring
for People with Dementia
Media Tablets for Mobile
Learning: Friend or Foe?
Practices in Quality
Are Augmented Reality
Products or Only Gadgets?
Audiovisual Contents and
their Delivery Means
Plus the latest news about
the future of the mouse, and
the legal impact of robotics.