Book a Demo Support

The Role of Static Analysis in Management of Cyber Security in Medical Devices

download pdf

INTRODUCTION

The FDA, recognizing the need for more robust security in medical devices, issued its guidance on managing cybersecurity in 2014. The growth of wireless, networked, and Internet-connected devices means that medical devices are more at risk than ever before. In addition, medical devices deal with patient safety and privacy unlike other classes of devices. Risk management (including security hardening and vulnerability management) is the cornerstone of medical device software development, and static analysis plays a key role in the process.

FDA GUIDANCE AND STATIC ANALYSIS
Home health care and medical “wearables” are increasing

exponentially and are just one area of growth for medical devices. As with other medical and IoT opportunities, there are safety, security, and privacy concerns associated with this growth. Figure 1 to the left indicates the level of growth forecast.

The FDA-published guidance is quite broad, giving high-level direction for managing security. It includes a strong argument for automated tools, based on the following guidelines:

  • » Manufacturers should address cybersecurity during the design and development of the medical device: As something GrammaTech has been communicating for some time, building in security from the start (rather than adding it on later in development) is the key. More on this follows.
  • » The design and development approach should appropriately address identification of assets, threats, and vulnerabilities: Static analysis integrates seamlessly with good software development processes and specifically aids in detection and identification of security vulnerabilities in code and binaries.
  • » Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients and the likelihood of a threat and of a vulnerability being exploited: Using tainted data analysis, GrammaTech CodeSonar can trace the source of data throughout the software to indicate potential vulnerabilities from outside sources.
  • » In the premarket submission, manufacturers should provide documentation related to the cybersecurity of their medical device: Static analysis tools provide reporting tools to assist in process documentation, test completion, and software readiness.

SECURING MEDICAL DEVICES

Static analysis is an important part of a security-first design and development approach. GrammaTech recommends four steps to improve an existing development process, prioritizing security and making it a top-level requirement:

  1. Design with a “security-first” philosophy.
    For highly-connected medical devices, security must be a prime consideration during all stages of development. The smart development team builds security requirements, development, and testing into the risk management plan, schedule, and budget. To address the potential unknowns and risks with device security, automated software tools are a significant boon to security assurance.
  2. A system-wide threat assessment and analysis.
    Your medical device is part of a larger clinical environment – understanding the potential security issues at a system level is critical. Assessing the known and theoretical attack vectors to your device is essential in order to identify the security risks that feed into your risk management plan.
  3. Leverage automated tools as much as possible.
    Security adds additional burdens to development teams and is often outside the realm of developers’ expertise. Automated static analysis, for example, can find defects and security threats in code that traditional manual and automated techniques miss. Static analysis is now an essential component in the security assurance tool set.
  4. Use binary analysis to ensure the quality and security of third-party code.
    Reliance on third-party software and software of unknown quality and security is risky. Binary static analysis (and a combination of source and binary analysis) provides an automated technique for analyzing third-party software, ensuring it meets the whole system’s quality and security standards.

THE RETURN ON INVESTMENT FOR STATIC ANALYSIS

Static analysis tools are highly recommended by software safety standards and for good reason. The majority of software development costs come from fixing problems in code, so finding defects early in the development cycle can save costs dramatically. Static analysis helps reduce risk, cost, time, and money in the following ways:

» Finds defects before unit testing:
Static analysis tools can be used right at the developer’s desktop environment and can prevent defects before they enter the build system and the unit test phase of development.

» Finds defects that testing misses:
Unit testing, even on projects demanding high code-coverage levels, can still miss important defects.

» Prevents defects in the first place:
Enforcing strict coding standards, such as MISRA C, can help prevent many classes of defects in code from the beginning. Enforcing good discipline in coding and creating a develop-analyze-test micro cycle for small code changes can prevent many defects from being created in the first place.

» Analyzes SOUP:
The use of third-party code such as commercial off-the-shelf software (COTS) and open-source software is common in medical device software development. Software of unknown pedigree (SOUP) needs to be managed carefully for safety and security before inclusion in a device. Static analysis tools can analyze third-party sources and binaries to discover defects and security vulnerabilities in software that could be impossible to test otherwise.

» Accelerates premarket submission:
Static analysis (and many other testing and lifecycle management tools) provides automated documentation to support testing, coding standard, and quality/robustness evidence. Much of the manpower used in satisfying safety certifications is documentation and evidence production – automation (specifically static analysis) reduces this burden significantly.

CONCLUSION

Static analysis and application lifecycle management tools fit well with the FDA’s published guidance on managing cybersecurity in medical devices. Following a “security-first” mindset and process, manufacturers can build in security rather than make it an add-on. Static analysis tools provide tangible benefits within the development to reduce risk, cost, and time.

REFERENCES:

Content of Premarket Submissions for Management of Cybersecurity in Medicals

A Four-Step Guide to Security Assurance for IoT Devices 

Static analysis essential for affordable safety critical software

Share post:

Related White Papers

If you enjoyed this white paper, please check out more on similar topics.

View All white papers

  • Using a SBOM to Make Better Software Security Decisions

    Software supply chain attacks are on the rise. Many of the high-profile cybersecurity news stories such the SolarWinds attack and the Apache Log4j vulnerability tell a tale of attackers exploiting vulnerabilities and weaknesses in the software supply chain. The mode of operation can range from fairly simple exploits of known vulnerabilities like Log4Shell to very sophisticated attacks,…

    Read More

  • Managing Software Supply Chain Risk in Medical Devices

    Modern medical devices are gaining complexity, and as connectivity to the internet, cloud, and outside world increases, so does the security challenge. Further, medical devices for home use are increasing exponentially, so devices must withstand a non-clinical environment while communicating on insecure home networks. And with medical devices, security risks are also safety risks, which increases development costs and liability. To address…

    Read More

  • How to Avoid Common Pitfalls in MISRA Compliance

    BACKGROUND In embedded development, C remains an extremely popular choice of language. Although other languages, such as Ada, C++, and Java are used in some circumstances, and model-driven development is becoming more popular in specific domains, about 50% of the code running on embedded systems is still hand-written C. C is a great language in…

    Read More

  • Exida – Improving Software Security & Comply with IEC 62443

    Using CodeSecure CodeSentry and CodeSonar. download pdf 1 Purpose and Scope In order to develop secure code free of vulnerabilities, suppliers are increasingly following a secure development lifecycle to achieve these goals. The IEC 62443-4-1 standard (Security for industrial automation and control systems –Part 4-1: Secure product development lifecycle requirements) defines specific requirements for using…

    Read More

Book a Demo

We’re ready to help you integrate SAST and SCA security into your DevSecOps flow. Get a personally guided tour of our solution offerings to ensure you are receiving the right solution for your development team. 

book now