7. Third-party software vulnerabilities
Third-party software incorporated into medical devices poses unique cybersecurity challenges. A software vulnerability that is not remedied could allow a medical device to be compromised, which could disrupt patient care — possibly on a system-wide level — or lead to a data breach. Protecting against such vulnerabilities requires assessing a medical device supplier’s ability to manage the software on its devices, obtaining security information for the devices in inventory (such as that available from an MDS2 form or a software bill of materials), and using appropriate tools to store and retrieve this information.
Efforts to remediate vulnerabilities in third-party operating systems and other off-the-shelf software components may be hindered by:
- Difficulties identifying which medical devices include the affected software.
- Delays in receiving guidance while the medical device vendor audits its product lines, validates third-party patches and develops recommendations for remediating the problem.
- Practical challenges associated with applying the mitigation in a clinical environment where equipment might be in continuous patient use or delivering life-sustaining therapy.