Medical Device Security: A New Look at Open Source Software

June 04, 2017 By Derek Weeks

4 minute read time

We all do it. When we sense something wrong with our health, we often go to the internet, plug in our symptoms and try to diagnose the issue.  

In our ever-connected world, we are not the only ones using the internet.  In order to improve the effectiveness and safety of our healthcare system, hospital infrastructure, medical devices, and doctors are also connected to the internet.  The smarter our healthcare systems are, the better quality of care we’ll receive.  

Then there is this:

iStock-616893490.jpg

Fit, healthy, and secure

In order to keep us healthy and ensure proper care, our connected healthcare systems also need to be secure.

An effort to keep our healthcare system and medical devices secure is being spearheaded by the Healthcare Industry Cybersecurity Task Force.  Last week, the task force released a comprehensive report stating “the healthcare system cannot deliver effective and safe care without deeper digital connectivity. If the healthcare system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security.”

The task force identified six high-level imperatives to guide recommendations and actions for the healthcare community addressing leadership, the workforce, information sharing, and software application analysis.

Software Bill of Materials

Among the recommendations from the task force was the call to improve transparency with regard to open source software components being used in medical devices:

Improve manufacturing and development transparency among developers and users.  In order to track medical device vulnerabilities, there is a need for transparency regarding third party software components. Having a “bill of materials”is key for organizations to manage their assets because they must first understand what they have on their systems before determining whether these technologies are impacted by a given threat or vulnerability. Moreover, this transparency enables healthcare providers to assess the risk of medical devices on their networks, confirm components are assessed against the same cybersecurity baseline requirements as the medical device, and implement mitigation strategies when patches are not available.”

The recommendation ends by stating, “To date, this practice has not been widely adopted”.

While cybersecurity practices across the medical device industry need to be improved, the technology to support them has been accessible for years.  For any medical device makers looking to create a “software bill of materials”, Sonatype offers this analysis as a free service.  The creation of a bill of materials is simple; the end-to-end lapse time to analyze an average sized application is between 10 - 15 seconds.

Screen Shot 2017-06-04 at 4.03.53 PM.png

Tags: software bill of materials, Devops, Medical Device Security

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.