Arnab Ray - Cybersecurity for Connected Medical Devices

Academic Press is an imprint of Elsevier

125 London Wall, London EC2Y 5AS, United Kingdom

525 B Street, Suite 1650, San Diego, CA 92101, United States

50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States

The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom

Copyright 2022 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-0-12-818262-8

For information on all Academic Press publications visit our website at https://www.elsevier.com/books-and-journals

Publisher: Mara Conner

Editorial Project Manager: Fernanda A. Oliveira

Production Project Manager: Debasish Ghosh

Cover Designer: Christian J. Bilbow

Typeset by TNQ Technologies

When I was contacted by my publisher to explore the possibility of writing a book on medical device cybersecurity, the first question I asked myself was When was the last time I read a technical book?

I couldn't remember.

When I have a technical question, I read research papers, look through standards, wade through the net reading StackExchange, Wikipedia, Medium, or anything else a Google search throws up. Usually, I find my answer without needing to open a book. This led me to wonder: in this day and age, why even bother to write a book on a technical topic, that too, on a moving target like cybersecurity, when there are so many great resources online, continually updated, free of cost, available at the click of a mouse?

Then I started doing some online research, putting myself in the shoes of someone new to medical device cybersecurity, trying to find answers to common questions someone in Systems Engineering or Quality or Clinical Engineering might have. Finding these answers online was much more difficult than I thought it would be, sometimes to the point of being virtually impossible. While there were excellent resources for understanding concepts of cryptography, there was very little available in terms of how to apply them for medical devices; the details were all there, but not the context in which to use them. Different regulatory agencies across the world had published well-thought-out guidance for cybersecurity, and they more or less prescribed the same things, except they used different words and different concepts, and there was nothing online that compressed all the best practices into one simple Here's what you could do. Comprehensive cybersecurity organizational standards have been written by experts at the National Institute of Standards and Technology (NIST), and they had been written for general purpose applicability, but then there was really very little available online that adapted these general frameworks for a typical medical device company. Standards like AAMI TIR 57 and AAMI TIR97 and ISO14971 and documents like Medical Device and Health IT Joint Security Plan came the closest in terms of providing tailored answers, but because these were standards and industry guidance, they have to be general enough to accommodate all solutions, whereas sometimes, as a practitioner with a deadline that passed yesterday, you are looking for one workable solution , rather than all of them.

The word workable in the previous sentence needs some explaining. It has been often said that the great is the enemy of the good. The reason why we chose to work in the healthcare industry is because of its mission: to help people live longer and healthier lives. If the pursuit of the very best cybersecurity solution creates unnecessary delay in the shipping of a life-saving or life-sustaining product, or makes it no longer economically viable to produce, we have lost track of the reason why we get up the morning. This is why the word workable is so criticalwe need to design solutions that ensure such that (1) patients are reasonably protected from cybersecurity threats, (2) the cybersecurity design of the product will satisfy cybersecurity expectations of regulators and customers, and (3) project timelines and budgets are met.

This book focuses on workability. As an example, let us consider the problem of threat modeling for medical devices. There are multiple ways of doing threat modeling. Each of these threat modeling methodologies is expansive enough to each have a book devoted to it. If I were to present you a survey of all threat modeling approaches and leave the choice of what to use to the reader, then I believe I would have provided very little incremental value over that which already exists. Instead, I describe, only one integrated way of doing systems and software/hardware threat modeling . This method, I have found from my experience, scales well to multiple systemsembedded, mobile, app, cloud, and server. It has satisfied regulatory expectations, and has kept projects within time and budget.