This document presents a methodology for assessing cybersecurity threats for medical devices. It involves drawing a component diagram, identifying software components and entry points, relevant software information, hazardous use scenarios, potential harms, and mitigations. The methodology is then demonstrated by working through these steps for a generic EKG device, identifying the management processor, JTAG connector, and software image as relevant, and proposing a hazardous use scenario and potential mitigations. The goal is to satisfy FDA documentation requirements around listing cybersecurity risks and controls.
2. The analysis methodology
presented here is driven by the
FDA guidance document:
“Content of Premarket Submissions
for Management of Cybersecurity
in Medical Devices (Oct 2014)”
Which consists of FDA
recommendations for considering
cybersecurity risks in medical
devices.
CybersecurityAnalysisMethodforMedicalDevices
3. The analysis methodology will
specifically address the
section:
Section 6 Cybersecurity
Documentation
CybersecurityAnalysisMethodforMedicalDevices
4. Section 6 Cybersecurity Documentation of the FDA
Guidance document states:
Hazard analysis, mitigations, and design considerations
pertaining to intentional and unintentional cybersecurity
risks associated with your device, including:
• A specific list of all cybersecurity risks that were
considered in the design of your device;
• A specific list and justification for all cybersecurity
controls that were established for your device.
CybersecurityAnalysisMethodforMedicalDevices
5. To satisfy these two bullet
items, a Device Interface
methodology is useful.
CybersecurityAnalysisMethodforMedicalDevices
6. This Device Interface methodology is
summarized below:
Step 1: Draw Component Diagram of the
system.
Step 2: Identify SW Components in the
system.
Step 3: Identify Entry Points i.e. device
interfaces in the system.
Step 4: Identify relevant SW Information in
the SW Components.
Step 5: Define Hazardous Use scenarios.
Step 6: Define Harm arising from hazardous
use.
Step 7: Define Mitigations.
CybersecurityAnalysisMethodforMedicalDevices
7. Let’s consider the example of a generic EKG device:
Display
USB
EKG Lead
Connector
Top
View
Side
View
Assumptions:
• There is a data storage
that holds .PNG image
files that can be
transferred to a laptop
via USB serial
connection.
• The laptop can also be
used to perform SW
upgrades on the device.
CybersecurityAnalysisMethodforMedicalDevices
8. Step 1: Draw Component Diagram of the system.
To start, generate a “big picture” component diagram of the generic EKG
device.
Lead
Connector
ADC
Display
USB
MP
Display
Driver
RTC
Audio
DAC
Data
Storage
FTDI
JTAG
CybersecurityAnalysisMethodforMedicalDevices
9. Step 2: Identify SW Components in the system.
For each component, identify any software that exists on each.
Subsidiary components such DAC’s, RTC, etc. are also
considered. For the moment, disregard the likelihood of a
particular cybersecurity threat.
Lead
Connector
ADC
Display
USB
MP
Display
Driver
RTC
Audio
DAC
Data
Storage
FTDI
JTAG
CybersecurityAnalysisMethodforMedicalDevices
10. Step 3: Identify Entry Points.
Now identify device interfaces to the software components.
Lead
Connector
ADC
Display
USB
MP
Display
Driver
RTC
Audio
DAC
Data
Storage
FTDI
JTAG
CybersecurityAnalysisMethodforMedicalDevices
11. Step 4: Identify relevant SW Information in the SW
Components.
For each component, identify SW Information in each component, where
‘Information’ is a data entity that could be considered to be a vehicle for
malicious use.
Lead
Connector
ADC
Display
USB
MP
Display Driver
RTC
Audio
DAC
Data
Storage
FTDI
JTAG
Time & Date
SW Image
.PNG Image
Files
CybersecurityAnalysisMethodforMedicalDevices
12. Step 5: Define Hazardous Use scenarios.
At this point, we have all the items (SW
components, Entry Points, SW Information)
necessary to start defining hazardous use scenarios.
First, let’s define the term “hazardous use” as:
1. Any act, intended or unintended,
that would cause the device to
harm a patient or clinician.
2. Any act that would harm business
interests (reverse engineering SW,
intentional device failures, re-
processing, etc.).
CybersecurityAnalysisMethodforMedicalDevices
13. Step 5 (continued): Define Hazardous Use scenarios.
Like DFMEA’s, the task of defining Hazardous Use scenarios
should be conducted by a cross functional team:
• R&D SW developers
• System Engineers
• Reliability Engineers
• SWQA Engineers
CybersecurityAnalysisMethodforMedicalDevices
14. Step 5 (continued): Define Hazardous Use scenarios.
To apply this methodology, first identify a Component that needs to be
analyzed (use the Component diagram from Step 1). Let’s start with the
example of the Management Processor (MP) component:
CybersecurityAnalysisMethodforMedicalDevices
Lead
Connector
ADC
Display
USB
MP
Display
Driver
RTC
Audio
DAC
Data
Storage
FTDI
JTAG
15. Step 5 (continued): Define Hazardous Use scenarios.
Next we identify an Entry Point. Let’s start with the JTAG connector:
CybersecurityAnalysisMethodforMedicalDevices
Lead
Connector
ADC
Display
USB
MP
Display
Driver
RTC
Audio
DAC
Data
Storage
FTDI
JTAG
16. Step 5 (continued): Define Hazardous Use scenarios.
We complete the picture by identifying the SW Information on the
management processor. In this case, the device SW image:
CybersecurityAnalysisMethodforMedicalDevices
Lead
Connector
ADC
Display
USB
MP
Display
Driver
RTC
Audio
DAC
Data
Storage
FTDI
JTAG
SW Image
17. Step 5 (continued): Define Hazardous Use scenarios.
Going back to our definition of Hazardous Use, we ask ourselves the first
question:
What act, intended or unintended, could cause the device to harm a
patient or clinician?
CybersecurityAnalysisMethodforMedicalDevices
MP
JTAG
SW Image
18. Step 5 (continued): Define Hazardous Use scenarios.
We need to define this Hazardous Use in the context of our
Device Interface methodology, taking into consideration the
component (MP), the interface (JTAG) and the SW
information (SW image).
CybersecurityAnalysisMethodforMedicalDevices
MP
JTAG
SW Image
19. Step 5 (continued): Define Hazardous Use scenarios.
Or more precisely:
How could someone gain access to the
Management Processor, via the JTAG
connector, and alter the SW Image so that it
would cause harm to a patient or clinician?
CybersecurityAnalysisMethodforMedicalDevices
MP
JTAG
SW Image
20. Step 5 (continued): Define Hazardous Use scenarios.
And we also ask ourselves the 2nd question from our
Hazardous Use definition:
How could someone gain access to the Management
Processor, via the JTAG connector, and alter the SW
Image so that it would cause harm to our business
interests?
CybersecurityAnalysisMethodforMedicalDevices
MP
JTAG
SW Image
21. Step 5 (continued): Define Hazardous Use scenarios.
We have entered the point in the methodology where typical
SW FMEA thinking takes over (keep in mind that we are still
not addressing the likelihood of a scenario).
Let’s try to define some possible hazardous use scenarios…
CybersecurityAnalysisMethodforMedicalDevices
22. Step 5 (continued): Define Hazardous Use
scenarios.
Defining a hazardous use scenario :
CybersecurityAnalysisMethodforMedicalDevices
MP
JTAG
SW Image
JTAG Emulator
• Using a laptop and a JTAG emulator, a malicious actor could
remove the cover on the device and connect to the JTAG and
gain access to the MP.
• Using debugging tools on the laptop, this malicious actor
could then alter the SW Image to produce erroneous EKG
results or to corrupt the SW Image itself.
• The malicious user could also copy the SW Image off the MP
for the purposes of reverse engineering the SW.
23. Step 7: Design Mitigations
Defining Harm should link to harms defined in your Preliminary
Hazard Analysis. In our example, possible harms are easily
deduced.
CybersecurityAnalysisMethodforMedicalDevices
Hazard Harm
Using debugging tools on the
laptop, this malicious actor could
then alter the SW Image to produce
erroneous EKG results or to corrupt
the SW Image itself.
Serious: Not immediately life-
threatening; hospitalization or
prolongation of hospitalization.
The malicious user could also copy
the SW Image off the MP for the
purposes of reverse engineering the
SW.
Business harm
24. Step 7: Design Mitigations
We may now consider severity and occurrence of the hazard &
harm, so that we may properly consider the Mitigation.
We will refrain from defining severity/occurrence in our example.
But suffice to say that mitigations for Low severity (minor) hazards
may be much different then mitigations for High severity
(Catastrophic) hazards.
CybersecurityAnalysisMethodforMedicalDevices
25. Step 7: Design Mitigations
Defining the mitigation should consist of design based remedies.
Continuing with some mitigations for our example EKG device:
CybersecurityAnalysisMethodforMedicalDevices
Hazard Mitigation
Using debugging tools on the
laptop, this malicious actor could
then alter the SW Image to produce
erroneous EKG results or to corrupt
the SW Image itself.
• Program SW lock on JTAG
after programming MP (SW
mitigation).
• Sealed Final Form factor
(physical mitigation).
The malicious user could also copy
the SW Image off the MP for the
purposes of reverse engineering the
SW.
• Program SW lock on JTAG
after programming MP (SW
mitigation).
• Sealed Final Form factor
(physical mitigation).
26. Step 7: Design Mitigations
After implementation of Mitigations, the severity/occurrence
should be re-evaluated to determine if the severity/occurrence
has been reduced to “As Low As Reasonably Possible”. This
evaluation of should include an explanation as to why the authors
believe the risk has been reduced to an acceptable level.
Of course, a record of this threat assessment should be entered
into the Design History File.
CybersecurityAnalysisMethodforMedicalDevices