Medical Devices: Tackling 3rd-Party Component, Software RiskAnura Fernando of UL Addresses Critical Cyber Considerations for Manufacturers
The integration of third-party components and software is an increasingly critical area of security risk that needs more attention from medical device manufacturers, says Anura Fernando, global head of medical device security at safety certification firm UL.
"We've gotten to a point as an industry where a lot of manufacturers understand that they need to have basic things, like authentication, authorization, encryption of data and protection of personally identifiable information and protected health information," he says in an interview with Information Security Media Group.
"But where we are seeing a lack of awareness across the industry is the notion of integration. Whether you're integrating a component into a device or integrating multiple software-as-a-service solutions, we see that that integration is often where some level of breakdown can occur."
Often, there are business constructs in place, such as service-level agreements, "that drive some of the behaviors of those interfaces," Fernando says.
"But often when you get into contracts and contract language, there are still a lot of areas that need to be better addressed.
"Whether we're talking about buying a component and integrating it into your product, or whether we're talking about subscribing to a software as a service, the differences and security posture of the vendor-purchaser relationship can really start to open up some of those cracks and expose vulnerabilities that threat actors can go right after," he says.
In the interview (see audio link below photo), Fernando also discusses:
- Tips for addressing areas of security gaps with third-party component and services vendors;
- The importance of software bills of materials across all critical infrastructure sectors, including healthcare, and how granular SBOMs might become;
- Applying threat modeling to medical devices;
In addition to his current role at UL as global head of medical device security, Fernando has served on a variety of federal advisory panels and industry task forces tackling cybersecurity-related issues in healthcare. He has more than 24 years of experience at UL with safety critical software and control systems certification and has conducted research across multiple application domains, including industrial automation, alternative energy, medical, hazardous locations, appliances, optical radiation, nanotechnology and battery technologies.