Introduction: Building Security from the Ground Up

Medical device security has to be designed in from the start because architectural decisions, once made, are expensive or impossible to undo. Planning early means writing a security management plan, defining security objectives, and modeling threats before code exists. Controls retrofitted onto a finished design cost more and protect less.

Imagine building a house. You wouldn't wait until the walls are up to decide where the doors should go or how to lock them. The same principle applies to medical device security - it must be planned and built in from the very beginning.

This chapter will guide you through:

• Creating a security management plan that serves as your blueprint
• Understanding what FDA expects your device to achieve (security objectives)
• Designing security architecture that protects patients
• Identifying threats before they become problems
• Assessing and managing security risks

The decisions you make during planning and architecture will affect every aspect of your device throughout its entire life. Getting this right now saves time, money, and most importantly, protects patients.