exida has traditionally been involved in industries such as oil and gas, chemicals, power generation and automotive. While these are a diverse set of industries, many of the techniques that we use such as FMEDA (Failure Modes Effects and Diagnostic Analysis), Risk Assessment, Threat Modelling, etc. can be applied across these different industries, usually with minor variations. A recent trend we have seen involves medical devices applying some of these same techniques. Recently, we performed an FMEDA on a ventilator which was being designed for the COVID-19 crisis.
Another area where there seems to be some overlap is in cybersecurity. exida has been certifying devices, processes, and system to the IEC 62443 series of standards for over 10 years now, but recently we have received several requests from medical device manufacturers trying to determine if this standard is applicable to them. While this series of standards was originally developed for Industrial Automation and control systems (IACS), it has been found that the standards are often applicable to any control system. In 2017, the ISA Security Institute performed a study of the applicability of the series to Building Control Systems (BCS). This report can be downloaded here. The report concluded that existing ISASecure certifications, based on IEC 62443 can be applied to BCS.
IEC 62443 Certification for Medical Devices
A similar situation exists for medical devices. In 2014, the Food and Drug Administration (FDA) in the United States concluded that the standard was relevant to medical devices and added it to their recognized consensus standards list . In addition, the British Standards Institute has recommended IEC 62443 for medical devices . The specific parts of IEC 62443 that would apply to the medical devices themselves would be part 4-1: Secure Product Development Lifecycle Requirements and part 4-2: Technical security requirements for IACS components. These two standards define the processes you must use in order to develop a secure product (Part 4-1) and the security capabilities that the product must have (Part 4-2). Since many security vulnerabilities are caused by bugs in the software, it is important to follow a process that attempts to eliminate such vulnerabilities during the design and development of the product. In addition, products should have a minimum set of security capabilities such as encrypting data sent over the network, requiring strong passwords, and enforcing least privilege. IEC 62443 defines four security levels which correspond to the required capabilities of components and systems. Capability Security Level 1 (SL-C-1) only protects against casual or coincidental violation by non-malicious users. As such the number of security capabilities at this level is small and rather basic. The highest level, SL-C-4 , protects against intentional violation using sophisticated means, with extended resources, IACS specific skills and high motivation. These are often referred to as nation-state level attackers. Therefore, at this security level the required security capabilities of the product are quite rigorous.
Recently, exida issued our first IEC 62443 certification for a medical device manufacturer. The certification was to the relevant requirements of IEC 62443-4-1 for the cybersecurity test lab for GE Healthcare. For medical devices, these standards can provide great guidance on how to minimize vulnerabilities in products as they are developed and how to ensure that they have the required security capabilities to protect against the expected level of threats. By following these standards, medical device companies can avoid having to reinvent the wheel, and follow best practices that have been developed by many experts around the world.