Cyber Security for Medical Devices

The impact of Cyber Security incidents on society is high, and in healthcare it impacts the ability for hospitals to provide care. Hospitals are more often the direct or collateral target of ransomware attacks, which brings the IT systems which we are increasingly depending on to a halt. In healthcare, these IT systems include normal back-office systems, building automation, such as HVAC and building access systems; and of course, medical IT systems such as medical devices, SaMD, health IT systems, pharmacy systems and Electronic Health Record systems.

Almost every day some hospital somewhere in the world is hampered in its daily operation, sometimes patients must be redirected to other hospitals, where delayed treatment is a serious impact on patient safety. In Germany, Dusseldorf, September 2020 a direct link was established between the death of a patient and a cyberattack. A patient treatment was delayed as the emergency department of the nearby hospital was closed due to a cyberattack and the patient died shortly after arriving at another hospital an hour later. The public prosecutor in Cologne concluded that they could not find enough grounds to pursue the hackers for negligent homicide. Although ransomware was involved in the case, there were no means to establish legal causation that the hackers, if they even could be identified, contributed sufficiently to the fatality. Examples of further regular impacts are the inability to access and even the loss of patient records, badge scanners and building access systems down and emergency services and dispatch centers interrupted.

The impact on the ability to deliver care is a major concern to society and thus to policymakers. As a result, Healthcare, just like other critical infrastructures, are forced to improve their security resilience to be able to identify, protect, detect, respond and recover from cybersecurity risks. Defending against these malicious attackers is not something that hospitals can only do by themselves, vendors in the supply chain are accountable, not only for delivering secure products and services, but they also furthermore need to support the hospital in its ability to do proper risk management by providing for instance sufficient security information about the products and services they use.

One of the challenges for medical device manufactures is that managing security often requires rapid changes to the medical device, which was perceived as difficult or even impossible as the medical device is a heavily regulated product. This view has changed already several years ago, where patching a vulnerability is being regarded as bringing a medical device back into compliance instead of being perceived as a software change. Today medical device regulators around the globe require medical device manufactures to handle not only safety risk management but also focus on security management as a security vulnerability often if not always has the potential to impact safety, property, or the environment.

Another challenge is that although safety risk management and security risk management are identical from a high-level perspective, there are distinct differences. For instance, the risk assessment methodologies are different as in security we use the term ‘likelihood’ and not ‘probability’ and we use threat modeling for security while FMEA’s are common for safety. And unlike safety where it is often about a calculated probability of something to fail, while in security we must deal with malicious human actors, which may use vulnerabilities they just discovered or vulnerabilities that have been dormant for years.

Standards to deal with security management both for hospitals and for manufactures have been developed over the years. In December 2021 the IEC 81001-5-1 standard was published which explains how to embed security by design activities within the context of 62304, a process standard most if not all medical device manufacturers are familiar with. It is essential for a manufacturer to understand that product security activities should be embedded in the lifecycle activities of a medical device, it should and cannot be an add-on.

Our Cyber Security for Medical Devices training course provides an overview of the threat landscape, the regulatory requirements for hospitals and medical device manufactures. The seminar provides an understanding of how to embed and apply state-of-the-art security in the existing processes, to deliver safe and secure products and solutions.


Published on Mar 02, 2022 by Ben Kokx