Anita Finnegan

Development of MDevSPICE® - the medical device software process assessment framework

Software that is incorporated into a medical device, or which is a standalone medical device in its own right, is of a safety critical nature and subject to regulation from various jurisdictions. In order to satisfy jurisdictional regulations, developers of medical device software adopt standards and guidance provided by international standards bodies and regulators. However, the various standards and guidance documents are often not developed as a single cohesive set resulting in a complex and costly challenge for medical device software developers when complying with regulation.

A Security Argument Pattern for Medical Device Assurance Cases

Medical device security is a growing concern for medical device manufacturers, healthcare delivery organisations and regulators in the industry. Increasingly, researchers are demonstrating exactly how vulnerable these devices are. In many cases, networked medical devices are regarded as a potential weak link within a healthcare IT network that could provide a means to expose the entire network to a malware attack. At present there is no formal method for implementing security risk management practices in the medical device industry. However, with new regulatory guidance being developed by the Food and Drug Administration (FDA), medical devices manufacturers will need to prove that their devices are secure. This paper presents a security case framework that is currently under development. The purpose of this framework is to provide medical device manufacturers and healthcare delivery organisations with a solution to assist both in establishing confidence in the security assurance of medical devices and to also maintain this confidence throughout the lifetime of the device.

Framework to assist healthcare delivery organisations and medical device manufacturers establish security assurance for networked medical devices

This paper introduces an assurance framework for networked medical device development. This work is being conducted to address the ever-increasing concerns of medical device security with a specific focus on medical devices to be incorporated into IT networks. The framework utilises a Process Assessment Model and a Process Reference Model to address system development lifecycle processes, security assurance processes and a focused risk management process. There is currently no governance for the development of secure medical devices in place and so, this work sets out to resolve this problem by increasing the awareness of medical device security risks, threats and vulnerabilities among Medical Device Manufacturers, IT vendors and Healthcare Delivery Organisations.

Improving Safety in Medical Devices from Concept to Retirement

As with many domains the use of software within the healthcare industry is on the rise [1, 2] within the last 20 years.

MDevSPICE - A Comprehensive Solution for Manufacturers and Assessors of Safety-Critical Medical Device Software

Software development is frequently challenged with quality concerns. One of the primary reasons for such issues is the very nature of the software development process. First, it can be difficult to accurately and completely identify the requirements for a software development product. Also, the implementation on various platforms and the need to integrate with sometimes unforeseeable additional systems adds complexity. For safety critical domains, such as the medical device and healthcare sectors, these hurdles are amplified. Whereas a failure in a desktop application may be resolved through a restart with no harm incurred, a failure in a medical device can have life threatening consequences. Our work in the Regulated Software Research Centre (RSRC) aims to support medical device producers in the production of safer medical device software. In this paper, we describe the MDevSPICE framework and how it addresses the safety concerns faced by medical device producers.

A security assurance framework for networked medical devices

This paper presents work for the development of a framework to assure the security of networked medical devices being incorporated. The paper focuses on one component of the framework, which addresses system development processes, and the assurance of these through the use of a Process Assessment Model with a major focus on the security risk management process. With the inclusion of a set of specific security controls and assurance processes, the purpose is to increase awareness of security vulnerabilities, risks and controls among Medical Device Manufacturers with the aim of increasing the overall security capability of medical devices.

DEIS: Dependability Engineering Innovation for Industrial CPS

The open and cooperative nature of Cyber-Physical Systems (CPS) poses new challenges in assuring dependability. The DEIS project (Dependability Engineering Innovation for automotive CPS. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 732242, see http://www.deis-project.eu) addresses these challenges by developing technologies that form a science of dependable system integration. In the core of these technologies lies the concept of a Digital Dependability Identity (DDI) of a component or system. DDIs are modular, composable, and executable in the field facilitating (a) efficient synthesis of component and system dependability information over the supply chain and (b) effective evaluation of this information in-the-field for safe and secure composition of highly distributed and autonomous CPS. The paper outlines the DDI concept and opportunities for application in four industrial use cases.

A Process Assessment Model for Security Assurance of Networked Medical Devices

The recent introduction of networked medical devices has posed many benefits for both the healthcare industry and improved patient care. However, because of the complexity of these devices, in particular the advanced communication ability of these devices, security is becoming an increasing concern. This paper presents work to develop a framework to assure the security of medical devices being incorporated into an IT network. It begins by looking at the development processes and the assurance of these through the use of a Process Assessment Model with a major focus on the security risk management processes. With the inclusion of a set of specific security controls, both the Healthcare Delivery Organisations and the Medical Device Manufacturers work together to establish fundamental security requirements. The Medical Device Manufacturer reports the achieved security assurance level of their device through the development of a security assurance case. The purpose of this approach is to increase awareness of security vulnerabilities, risks and controls among Medical Device Manufacturers and Healthcare Delivery Organisations with the aim of increasing the overall security capability of medical devices.

Towards an International Security Case Framework for Networked Medical Devices

Medical devices MDs are becoming increasingly networked. Given, that safety is the most significant factor within then MD industry and the radical shift in MDs design to enable them to be networked, it would make sense that strong security requirements associated with networking of a device should be put in place to protect such devices from becoming increasingly vulnerable to security risks. However, this is not the case. Networked MDs may be at risk. In an attempt to reduce this risk to the MD industry there are a number of upcoming regulatory changes, which will affect the development of networked MDs, how they are regulated and how they are managed in operation. Consequently, an industry-wide issue exists as there is currently no standardised way to assist organisations to satisfy such security related requirements. This paper describes ongoing research for the development of an innovative framework to improve the overall security practices adopted during MD development, in operation and through to retirement.