The majority of popular 3rd party software has its origins in consumer entertainment electronics. This software is known as SOUP (see Tom’s blog on SOUP), if it was not originally developed with medical devices in mind.
Although use of SOUP can bring great benefits, this software might contain defects or flaws that could result in a device failure or exploitation from malicious hackers. A recent FDA URGENT/11 communication notice is a typical example of exploitable (found in hindsight) SOUP finding its way into medical devices.
This is not a report of a recorded cybersecurity incident, but one of very real risk to any device that may contain the described 3rd party software. Any such device, when connected to a network, is vulnerable to malicious interference with its data, or the potential that someone may remotely take over its control.
So, what steps can be taken to avoid building vulnerable 3rd party software into medical devices?
Be aware that cybersecurity is a very real threat, incidents like FDA URGENT/11 do occur, bake cybersecurity risk planning into your device engineering and support activities.
Due diligence should be applied bringing in SOUP. Validate the supplier and product, check for inclusion of 4th party or open source code; apply an audit trail and risk analysis. Check for known vulnerabilities, use known vulnerability databases such as the NIST national vulnerability database or the CERT/CC.
Be prepared for incidents. Ensure you have built into your device a ‘kill switch’ or secure software upgrade capability and procedures.
Keep a rear-guard after device deployment, continue to monitor and risk assess software supplier patch updates and for known vulnerabilities. Monitor customer defect reports and feedback.