The Center for Medical Device Cybersecurity and its Members Uncover Industry Needs for Security Penetration Testing in Medical Devices

The Center for Medical Device Cybersecurity at the University of Minnesota hosted a member forum on June 24 to discuss penetration testing as a method to ensure safety and security in medical devices.  This expert-led discussion allowed device manufacturers, healthcare providers and healthcare payers to talk openly and share ideas on solutions to this industry challenge.

Penetration Testing was defined as a means of testing for vulnerabilities in software not only to satisfy patient safety concerns, but also to satisfy regulatory and privacy requirements. Three separate types of pen testing were identified: “white box’, “gray box” and “black box” tests, each addressing specific needs and scenarios.

Black box testing is the tester having no knowledge of the system architecture or source code, which would be the best simulation of what an attack coming from outside would encounter.

In gray box testing, the tester has some knowledge of the system architecture which helps the tester more easily discover vulnerabilities in the system. In white box testing, the tester has access to everything, including the source code. The FDA prefers this approach, as it allows testers to find small vulnerabilities that can be easily fixed.

Next, an overview of challenges related to pen testing was shared and discussed, including:

• how to choose a pen tester,
• how to know if their tests are reliable,
• should customers do pen tests on products before they purchase them
• whether those testers should be doing black box, gray box or white box testing.
• Should pen tests have an expiration date.

The open discussion between all the industry players continued around pen testing best practices. By the end of the session a consensus had emerged around several key points:

1. An industry standard needs to be developed around pen testing. This standard would clearly define what pen tests are, how they should be conducted, what information should be sent to customers and regulators, and whether such tests should be conducted in-house or by independent contractors.
2. Periodic pen tests should be conducted on all devices, including legacy devices. Testing should begin during the development phase and should continue until the last device is decommissioned.
3. Pen testing protocols should find a balance between the needs of manufacturers, HDOs and regulators. Pen testing is a widely used term with great variety of use cases and definitions. Manufacturers want to keep tests freeform and out of the V&V process. HDOs want it tight enough to validate stated controls are in place.

The mission of the Center for Medical Device Cybersecurity is to be an ever expanding and active hub of connections, communications, education and training, resources, research, and useful experiences for all those involved with improving the cybersecurity and safety of healthcare and medical devices.  Its members are healthcare providers, device manufacturers, and healthcare payers.  For more information on becoming a member, send a message to  cmdc@umn.edu.