References Regarding Cybersecurity for Network-Connected Medical Devices

Updated 27 Aug 2019:

Health Care Industry Cybersecurity Task Force June 2017 Report on Improving Cybersecurity in the Health Care Industry https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf 

Healthcare and Public Health Sector Coordinating Council, Medical Device and Health IT Joint Security Plan, January 2019 https://healthsectorcouncil.org/the-joint-security-plan/ 

The FDA’s Role in Medical Device Cybersecurity, Dispelling Myths and Understanding Facts https://www.fda.gov/media/103696/download

MITRE, Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook https://www.mitre.org/publications/technical-papers/medical-device-cybersecurity-regional-incident-preparedness-and 

“Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” https://www.fda.gov/regulatory-information/search-fda-guidance-documents/content-premarket-submissions-management-cybersecurity-medical-devices-0

“Postmarket Management of Cybersecurity in Medical Devices” https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices

“Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” (http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/u cm089543.htm) 

“Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” (http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/u cm077812.htm)

Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication (2013) http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm?source=govdelivery 

Cybersecurity for Networked Medical Devices is a Shared Responsibility: FDA Safety Reminder (updated Oct. 2014) http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm

Medical Device Software Patching, IHE PCD in Cooperation with MDISS (Oct. 2015),http://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Patching_Rev1.1_2015-10-14.pdf  

Medical Equipment Management, Medical Device Cyber Security Best Practice Guide, IHE PCD (Oct. 2015), http://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Cyber-Security_Rev1.1_2015-10-14.pdf  

Medical Equipment Management, Cyber Security, IHE PCD (May 2011), http://ihe.net/Technical_Framework/upload/IHE_PCD_White-Paper_MEM_Cyber_Security_Rev2-0_2011-05- 27.pdf  

Building Code for Medical Device Software Security, IEEE Computer Society, May 2015, http://cybersecurity.ieee.org/images/files/images/pdf/building-code-for-medica-device-software-security.pdf  

Medical Device Isolation Architecture Guide, V2.0, US Department of Veterans Affairs (Aug. 2009), http://s3.amazonaws.com/rdcms- himss/files/production/public/HIMSSorg/Content/files/MedicalDeviceIsolationArchitectureGuidev2.pdf  

VA Enterprise Design Patterns Privacy and Security – Medical Device Security, Jan 2017 https://www.oit.va.gov/library/programs/ts/edp/privacy/MedicalDeviceSecurity_V1.pdf  

“Medical Devices Security Technical Implementation Guide, V1, R1” Defense Information Systems Agency (DISA), July 2010, http://iase.disa.mil/stigs/Documents/unclassified_medical_device_stig_27July2010_v1r1FINAL.pdf  

Medical Devices Security Technical Implementation Guide, V1 R1, Defense Information Systems Agency (DISA) (July 2010), http://iase.disa.mil/stigs/Documents/unclassified_medical_device_stig_27July2010_v1r1FINAL.pdf  

Manufacturer Disclosure Statement for Medical Device Security, NEMA (Oct. 2013); http://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx  

ANSI UL  2900-2-1 First Edition 2017  Standard For Safety, Software Cybersecurity For Network-Connectable Products, Part 2-1: Particular Requirements For Network Connectable Components Of Healthcare And Wellness Systems https://standardscatalog.ul.com/standards/en/standard_2900-2-1_1 

ANSI UL  2900-1 First Edition 2017  Standard For Safety, Standard For Software Cybersecurity Network-Connectable Products, Part 1: General Requirements https://standardscatalog.ul.com/standards/en/standard_2900-1_1 

Patching Off-the-Shelf Software Used in Medical Information Systems, NEMA/COCIR/JIRA Security and Privacy Committee, Oct. 2004, http://www.medicalimaging.org/wp- content/uploads/2011/02/Patching_OffTheShelfSoftware_Used_in_MedIS_October_2004.pdf  

Office of Inspector General: FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices: https://oig.hhs.gov/oei/reports/oei-09-16-00220.pdf  

I Am The Calvary “Hippocratic Oath for Connected Medical Devices” https://www.iamthecavalry.org/domains/medical/oath/ 

MedCrypt: What Medical Device Vendors can learn from past Cybersecurity Vulnerability Disclosures https://www.medcrypt.co/medcrypt-vulnerability-analysis-whitepaper-1.pdf  

Medcrypt: A Medical Device Cybersecurity Toolbox https://www.medcrypt.com/whitepapers.html 

Medcrypt: A Tool in Medical Device Cybersecurity https://www.medcrypt.com/whitepapers.html 

Medcrypt: Impact of Monitoring on Medical Device Vulnerabilities https://www.medcrypt.com/whitepapers.html 

“Anatomy of an Attack – Medical Device Hijack (MEDJACK)”, TrapX, 2015 https://trapx.com/trapx-labs-report-anatomy-of-attack-medical-device-hijack-medjack/  

“MEDJACK 2: Old malware used in new medical device hijacking attacks to breach hospitals”; Network World; Jun 27, 2016; http://www.networkworld.com/article/3088697/security/medjack-2-old-malware-used-in-new- medical-device-hijacking-attacks-to-breach-hospitals.html  

“Securing Hospitals – A Research Study and Blueprint”, Independent Security Evaluators (ISE), Feb. 2016, https://www.securityevaluators.com/hospitalhack/ 

 ISO 13485, Medical devices – Quality management systems – Requirements for regulatory purposes https://www.iso.org/iso-13485-medical-devices.html

OWASP Secure Medical Device Deployment Standard, Version 1.0 9/12/17 https://www.owasp.org/images/7/73/MedicalDevicePurchasing.pdf  

OWASP OWASP Secure Medical Device Deployment Standard: Purchasing Assessment Criteria Version 1.0 9/12/17 https://www.owasp.org/images/7/73/MedicalDevicePurchasing.pdf 

AAMI TIR57: Principles for medical device security—Risk management https://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=3729&gclid=EAIaIQobChMIz7-J7cKX5AIVhobACh30Bw-_EAAYASAAEgIwPPD_BwE 

AAMI Medical Device Cybersecurity: A Guide for HTM Professionals https://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=6489 

Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, National Institute of Standards and Technology https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf 

NIST SPECIAL PUBLICATION 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations https://www.nccoe.nist.gov/sites/default/files/library/sp1800/hit-wip-nist-sp1800-8.pdf   

MAUDE – Manufacturer and User Facility Device Experience https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.CFM 

FDA: Recognized Consensus Standards https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfStandards/search.cfm [search terms: risk; device; cybersecurity]

Selection of Cybersecurity-Related Standards in Development for Medical Devices https://www.fda.gov/media/123070/download 

  • ISO/IEC 81001-1 Health software and health IT systems safety, effectiveness, and security – Part 1: Foundational principles, concepts and terms 
  • IEC 80001-5-1 Safety, effectiveness, and security in the implementation and use of connected medical devices or connected health software – Part 5: Security – Part 5-1: Activities in the product lifecycle 
  • IEC 60601-4-5 Guidance and interpretation – Safety related technical security specifications for medical devices 
  • IEC 62304 Medical device software – Software life cycle processes 
  • AAMI TIR97/Ed. 1, Principles for medical device security – Post-market security management for device manufacturers 
  • AAMI SW96/Ed. 1, Medical Devices – Application of security risk management to medical devices 

OLDER Links circa 2018:

Medical Device Security: An Industry Under Attack and Unprepared to Defend” https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf

“Report On Improving Cybersecurity In The Health Care Industry” https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf

“Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality ” http://s3.amazonaws.com/rdcms-aami/files/production/public/FileDownloads/BIT/2016_BIT_JF_CybersecurityManufacturers.pdf

Mayo Clinic “Medical Device Risk Assessment Vendor Packet Instructions” https://www.mayoclinic.org/documents/medical-device-vendor…/doc-20389647

“IEC 80001-2-1:2012 – Application of risk management for IT-networks incorporating medical devices — Part 2-1: Step by Step Risk Management of Medical IT-Networks; Practical Applications and Examples” https://www.iso.org/obp/ui/#iso:std:iec:tr:80001:-2-1:ed-1:v1:en

“Principles for Medical Device Security – Risk Management” http://my.aami.org/store/detail.aspx?id=TIR57-PDF &

http://my.aami.org/aamiresources/previewfiles/TIR57_1607_Preview.pdf

“Baseline Security Recommendations for IoT in the Context of Critical Information Infrastructures” https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot

Food & Drug Administration:

Cybersecurity” https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm

“Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, FDA, 2 Oct 2014, https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm356190.pdf

Postmarket Management of Cybersecurity in Medical Devices, FDA, 28 Dec 2016, https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf

“FDA Recognizes UL 2900-1 Cybersecurity Standard for Medical Devices” https://www.ul.com/inside-ul/fda-recognizes-ul-2900-1-cybersecurity-standard-for-medical-devices/

Proposed Legislation: 

Partnership Stressed in IoMT Medical Device Cybersecurity Bill” https://healthitsecurity.com/news/partnership-stressed-in-iomt-medical-device-cybersecurity-bill & https://www.congress.gov/bill/115th-congress/house-bill/3985

“The Medical Device Cybersecurity Act of 2017” https://www.congress.gov/bill/115th-congress/senate-bill/1656

Senate bill takes aim at medical device cybersecurity” https://www.fiercehealthcare.com/privacy-security/senate-bill-takes-aim-at-medical-device-cybersecurity