New Guidelines Aim at Safer Medical Device Software

Networked medical devices may soon become more secure, thanks to a new set of guidelines intended to help companies establish a secure baseline for software development. The Institute of Electrical and Electronics Engineers (IEEE) has announced the publication of Building Code for Medical Device Software Security, which outlines a set of security requirements for production practices of medical devices. Authored by security research scientists Tom Haigh and Carl Landwehr, the new standards provide a blueprint for reducing or eliminating vulnerabilities that others might exploit to gain access to medical devices.

According to the IEEE announcement, in order to make substantive progress in the realm of cybersecurity, companies producing software for commercial software must take the lead to reduce vulnerabilities at the point of origin. Most exploited vulnerabilities are due to accidental implementation errors, IEEE reports, which can be avoided or significantly reduced through the use of specific programming languages and automated tools for checking software.

“Similar to building codes that were developed over centuries to guide the production of physical buildings, the elements contained in Building Code for Medical Device Software Security are intended as the beginning of a model code for software security for the medical device industry,” said Carl Landwehr, IEEE fellow and research scientist, Cyber Security Policy and Research Institute at George Washington University. “This is just a starting point that developers can use to rule out the most commonly exploited classes of software vulnerabilities during the implementation phase. There is more work to do, so we encourage the industry to participate in our effort to create a foundation for a more complete code for the medical device industry to apply.”

The document’s release reflects the goal of the IEEE Cybersecurity Initiative to shape and lead a technical agenda by providing tools for computer security education, guidance on secure software coding, and software assurance engineering. The IEEE Cybersecurity Initiative is a program of the IEEE Future Directions Committee, designed to develop and share educational tools, events, and content for emerging technologies. To learn more, visit the cybersecurity initiative page on the IEEE website.