Ask HN: What are some good resources to understand medical device cybersecurity?

I few times touched with subject, must say, this is mostly comedy or parody.

Because, regulators are extremely conservative, devices have extremely long lifetime.

Example, people asked me, where to buy USB flash with two tails - they used old embedded Windows on integrated into medical device computer, and regulations require to remove network devices, even prohibited to connect network USB dongle (sure, guy tried, but network drivers disabled in OS).

Interest, that people could install on that computer 3rd party applications, even games.

And that two-tail flash used to integrate those computer to medical database of organization - for me, this is just security WTF.

So, in reality, old systems live within old rules, which just don't know modern off-the-shelf technologies, and even when it is possible to make upgrade to modern safety techniques it is not considered.

As alternative example, not ideal, but.. Japanese new regulations on skyscrapers, where to got permission to build, builder required to create special account, on which deposit full sum of money, to safely collapse building and return land to state it was before.

Honestly, medical security is more theater than real security. The people with marketing prowess sell crap for much, much more of a markup to the medical world than to most other industries, excepting perhaps military, and just like many other areas, marketing has much more of an influence than actual security.

Pretty much all of my experience in medical security to date has been playing games to paper over horribly insecure defaults that should never have been considered in the first place. Companies would rather things that are known to be insecure that others are using, so everyone is in the same boat, so to speak, than to choose something demonstrably more secure that nobody else is using.

In other words, learn about marketing, marketing forces, and securing things after the fact.

Don't think medical devices are in any way unique. Same cybersecurity principles and practices apply to them as to any IoT device.

Use best IoT practices. Treat a medical device like any new product whose data you want to remain secure. On the device itself, ensure your firmware is inaccessible to curious hackers. Most MCUs provide read back protection so enable it! Ensure OTA updates are encrypted and signed, and only verified bootloaders can decrypt and install firmware. All network communications should be encrypted too; use HTTPS or similar protocols and treat your device certs like you treat your firmware.

On the backend, use web API security best practices. This means only allow API access to authorized devices and/or users. Keep your database secure. There’s tons of resources out there about how to build a secure backend.

Cybersecurity isn’t nearly as complicated as marketers and would-be consultants paint it out to be. Granted, programs are complicated (firmware especially), so invest heavily in good testing to catch insecure code before they manifest into issues.

As far as the FDA is concerned, document everything, probably more that you think is necessary. Write up a clear set of requirements, verification and validation plans, and very thorough design documents. This benefits both them and any future team members that may need to work on the project.

Please remember that availability is part of security. If the company that makes the device folds, or just decides to stop supporting it, it should remain available, perhaps even a decade or more later. We should never have people with implanted devices that are otherwise functional, because of a lack of software support.

There’s a lot of compliance rules for these types of devices.