With the dramatic growth of IoT globally in all sectors, medical was not going to be bypassed but instead there was going to be significant growth in new products/services for medical.
With some of these new solutions come more capabilities and freedoms for patients who can now still be fully monitored without patient care. With an aging population and global pandemic, the timing cannot be better for the uptake of these technologies.
Now the part that makes everyone uncomfortable is how to protect the privacy of the patient and ensure that there is no inherit cyber risks of using the product. i.e. can it be weaponized.
Over the past couple of years, we have been working with many health products companies globally to help with securing these solutions. This includes a 3-years research project on IoT for Medical Devices. This has led to a methodology that allows us to formally assess a solution. Now this is not just what some would call penetration testing but a lot more than that. We create a testing environment that includes power supplies, SDRs, packet generators for various protocols, wireless sniffers and countless other tools. We also have a playbook that is used to test all classes of products.
Based on this, if you are looking to test and evaluate health devices here is some guidance, we would like to share with you.
- Determine the market you looking to sell the product into, this will determine the minimum testing and evaluation that will have to be provided. In Canada that would be Health Canada and in the US that is the FDA. Both have very specific requirements for products under this classification so make sure you understand the documentation you will require.
- Determine the standards to be used for evaluation, this may include one or more of the following:
- UL2900-1-1 or UL2900-2-1
- CSA T200
- ISO 14971
- IEC 80001-1
- These standards will determine the test cases on how each aspect is to be assessed and verified. Keep in mind, these tests and tools must be repeatable, and all outputs of testing need to be collected for validation and auditing. When creating each test case ensure you are using a scientific methodology approach. You will have to provide to reviewers how and why of each test case. You can even take screen recordings and captures to record impacts to devices under test.
- Some of these testings will not be easy, especially if you do not know aspects of system design, hardware testing, and tools such as logic analysers. It will also take longer than you anticipated as well. Plan your project scope accordingly.
- Packet capture everything and spend enough time to analyze these. Many times, we found some intel on the devices by them being “chatty” on the wire. This includes sending nuggets of information in headers and data fields unencrypted which can be used against a device. You have got to love metadata!
As you work towards medical certification keep in mind you can do these tasks both in-house and using a 3rd party. If you are using a 3rd party, make sure they are accredited. Using a consultant for pen testing might save you some money but will not potentially pass a regulatory review.
TwelveDot currently provides a complete solution which includes testing hardware, firmware, network communication, mobile and web application and the cloud platform that exceeds current FDA and UL2900 requirements for testing and evaluation. We are working with global medical equipment companies to evaluate and secure their solutions. Please contact us to learn more.