Report Outlines ‘Building Code’ for Medical Device Software

Developers of medical device software should use secure coding standards that address known memory access vulnerabilities to protect their products from hacking, a new report says.

The right choice of programming language can help prevent memory errors that make it easy for hackers to break into a system. The Institute of Electrical and Electronics Engineers, which released the report, recommends using restricted subsets of language, such as C or Ada, that have been crafted to avoid ambiguities.

IEEE also recommends using automated tools such as thread safety analysis and memory safety error mitigation to secure software systems.

For each code element, companies need to consider four subtexts: a description of the element, the vulnerabilities addressed, developer resources that are required and evaluator resources required.

To prevent tampering after software is installed, IEEE suggests using digital signatures and building in a “whitelist” so the program will run only approved applications.

The report also recommends:

• Using the least operating system privilege to limit access to the code;
• Employing hardware or software solutions to protect against malicious observation or modification of the code;
• Providing a tamper-resistant audit trail for security-related events such as software installation; and
• Including design elements that can help to ensure safe functioning of software during an attack, or restoration in the wake of one.

Device cybersecurity made headlines recently when Hospira recalled two of its infusion pumps over concerns the software could be hacked (IDDM, May 14). The devicemaker stressed that no breaches in a care setting had been reported.

The IEEE report, Building Code for Medical Device Software Security, drew from a November workshop supported by IEEE’s Cybersecurity Initiative. View the report at www.fdanews.com/05-25-15-code.pdf. — Elizabeth Orr