For developers and manufacturers of networked medical devices, IT security is increasingly becoming a challenge. While the number of cyber threats is growing significantly, companies often lack experience and clear guidelines for medical security. A comprehensive and complete security risk management plan helps to meet existing requirements in the best possible way and helps develop efficient countermeasures.
The healthcare sector is more in the public eye than ever before during the coronavirus pandemic. The sector has been doubly affected: On the one hand, intensive care had to be stretched to the limit at times, and politicians and the media everywhere are calling for medical and epidemiological expertise. On the other hand, cyber threats in the healthcare sector increased massively. According to the “2021 Global Threat Intelligence Report” of the technology service company NTT, the number of cases in the healthcare sector tripled in 2020 compared to the previous year. 1 Four out of five medical device manufacturers were the target of at least one attack in 2019. Telemedicine and remote care were the most affected.
Nearly one in four medical devices is connected to the Internet or otherwise connected to a network. While there were already around 337 million devices in 2017, the number is estimated to rise to 125 billion by 2030. 2 This also includes digital health applications, whose development is encouraged by several European initiatives like the German “Digital Healthcare Act.”3 In times of pandemic, when care should be as contactless as possible, they receive special attention.
Little Experience and Serious Consequences
The attacks range from extortion attempts (ransomware) to industrial espionage. Besides pharmaceutical companies and clinics, research institutions are also targeted. In the worst case, manipulations in sensitive medical areas endanger the safety of patients and users. However, the affected manufacturers and institutions must also reckon with considerable and lasting economic consequences in less serious cases — for example, due to the loss of brand image if critical security vulnerabilities or safety deficits become public.
A secure product requires effective security measures and a clear set of requirements. However, many manufacturers have little experience with cybersecurity, and there are no clear guidelines, for example on how to implement “security by design” for medical devices. In addition, there are only a few industry-specific standards, such as the technical report IEC TR 60601-4-5 (“Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications”).
Risk Management from Design to Decommissioning
To identify all risks and threats, cybersecurity should be a key consideration at every stage of development. Because many security vulnerabilities only become apparent after a product is on the market, risk management must encompass the entire life cycle, all the way through to decommissioning. This means that even if the product is already distributed, it must be continuously monitored. This includes a reporting system, a problem resolution process, and regular updates. It should be borne in mind that medical devices are designed for a significantly longer operating life than, for example, household electronics or software for private use.
The European General Data Protection Regulation (GDPR) already defines high requirements for data security. Regulations EU 2017/46 (In-vitro Diagnostic Device Regulation, IVDR) and EU 2017/745 (Medical Device Regulation, MDR) set cybersecurity requirements and demand, among other things, IT security measures in accordance with the “generally accepted state of the art.” Depending on the product class of a medical device, based on the classification by the MDR, extensive safety and performance requirements are the result for European market access.
Useful guidance exists for some subareas. The MDCG 2019-16 guide, for example, specifies the requirements for security risk management throughout the entire product life cycle. In its “Postmarket Management of Cybersecurity in Medical Devices” guide, the U.S. Food and Drug Administration (FDA) highlights the cybersecurity aspects of products already placed on the market. This is also helpful for manufacturers outside the U.S. market.
Continuous Monitoring and Testing
A comprehensive risk management and a security life cycle form the basis for a secure medical device. In addition, ongoing controls such as vulnerability scans, penetration tests, and fuzzing are necessary to ensure safe functioning — even during the operational phase.
With the implementation of existing standards and specifications, manufacturers and developers ensure that their medical product corresponds to the technical state of the art. Proof of cybersecurity of the medical device must be provided to the regulatory authorities or notified bodies as part of the certification process.
This article was written by Dr. Abtin Jamshidi Rad, Global Director Functional Safety, Software and Digitization, TÜV SÜD Product Service GmbH, Munich, Germany. Contact
References
- 2021 Global Threat Intelligence Report
- The Internet of Things: A Movement, Not a Market
- “Driving the digital transformation of Germany’s healthcare system for the good of patients,” (“Digitale-Versorgungs-Gesetz”, DVG).