Functional safety is an important aspect of the approval of medical devices. The aim of functional safety is to design medical devices in such a way that any probable technical malfunction is detected in advance and does not pose a risk to humans. The functional safety of the devices must be assured by the device manufacturers. In assessing these hazards, manufacturers use, among other things, specific risk management methods that are specified, for example, under the European Medical Device Regulation (MDR) or the U.S. Food and Drug Administration (FDA).
When assessing safety risks, IT security aspects must also be taken into account. The question for manufacturers here is how to secure their medical devices in terms of software and hardware by means of IT security measures in such a way that, for example, they can continuously guarantee functional safety in a wide variety of application scenarios at the customer's site.
Manufacturers see great opportunities, but also great risks, particularly in the connection to the Internet. Although new functions and services are only made possible by the connection to the Internet, the potential risk of cyber attacks is also significantly increased by the connection of medical devices to the Internet. Physical systems and infrastructures are extremely interesting for hackers to gain "remote" influence on sensitive or critical infrastructures. In the case of medical devices, it would be fatal if a hacker were able to manipulate, for example, ventilation functions for emergency patients in the hospital, from the comfort of their own homes.
It's hard to say how likely a cyberattack is. While the FDA says it is not aware of any cybersecurity incident to date in which a medical device in use by a patient has been successfully attacked, it certainly will happen and would be a worst-case scenario of extreme consequence for the medical device provider.
But how do medical device manufacturers secure their products? What IT security requirements are there, for example, to mitigate safety risks?
Unfortunately, there is no one answer here, but the answers are varied and sometimes also imprecise. The Medical Device Regulation (MDR), for example, speaks of "state-of-the-art IT security" that a medical device must comply with. But what does state-of-the-art mean here?
How do I secure my device software? How do I secure measurement and patient data? How does the device have to react to e.g. denial of service attacks? Are basic safety functions still guaranteed in the event of cyber attacks? How do I secure the transfer of data to the cloud? Do I need to encrypt the data or is communication encryption sufficient? How do I secure interfaces such as WLAN or Bluetooth? Examples of questions that the medical device manufacturer must ask himself and answer or develop with "state of the art" IT security solutions.
Various IT security standards and guidelines for medical device and industrial component manufacturers help to answer e.g. the above questions. Relevant standards, guidelines and recommendations would be e.g. the following:
Title / Topic | Standards, guidelines, recommendations |
Software development | IEC 62304: Harmonized standard for the software lifecycle process of medical device software |
IT Security Recommendations of the German Federal Office for Information Security (BSI) | BSI document for medical device manufacturers: "Cyber security requirements for network-enabled medical devices". TR-02102: BSI technical guideline on cryptographic procedures with recommendations on key lengths. |
FDA-Cybersecurity-Guidance-Dokumente | FDA Guidance Dokumente "Cybersecurity in Medical Devices", "Postmarket Management of Cybersecurity in Medical Device" und "Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software" |
Guideline for IT Security of Medical Devices | IT security guide for medical device manufacturers developed by the Johner Institute and other bodies (including TÜV SÜD, TÜV Nord) |
Standards series IEC 62443 | Holistic approach to industrial security in production and automation. The IEC 62443-4-1 and IEC 62443-4-2 standard parts focusing on production process and component security would be of interest to medical device manufacturers. |
Information Security Management System (ISMS) | The medical device manufacturer should not only focus on the actual device security, but should also define higher-level rules and procedures in-house to ensure information security. ISO 27001 provides guidelines and tools for setting up an ISMS. IEC 62443 defines a security management system in standard part 2-1, which is based on ISO 27001. |
European General Data Protection Regulation (GDPR) | Actually self-evident, but also a special challenge for medical device manufacturers, is the consideration of the European GDPR for the processing of personal and health data. |
How the medical device manufacturer, for example, takes into account the above-mentioned standards, guidelines and recommendations for its product development is not explained in one sentence. In the coming blogs, we will discuss specific approaches for taking IT security requirements into account.
Blog post by Volker Brunsiek.