Publication of BSI study on cybersecurity in medical devices

Miriam Schuh

As the health care industry becomes increasingly digitized and interconnected, the importance of cybersecurity is growing as well, and recognition of this aspect is found in the new European regulations for medical devices. In practice, however, we are constantly seeing network-capable medical, IoT and elder care products with weak points. If these weak points are exploited by cybercriminals, patients' lives and health may soon be in jeopardy. For this reason, the Federal Office for Information Security (BSI) is devoting an increasing amount of attention to this issue (only in German) and has launched several projects to examine cybersecurity in the health care industry. The findings (only in German) from two of these projects, the "ManiMed: manipulation of medical devices" and "eCare: digitization in care," have now been published.

The eCare project

In the course of the "eCare" project, a total of six network-capable nursing devices which are currently available on the market were examined from the viewpoint of cybersecurity. After evaluating the project, the authors of the study concluded that "the level of IT security we found can be described as poor to very poor" (PDF). The authors' criticism is not limited to the fact that all of the examinations uncovered moderate to severe vulnerabilities: their assessment included cybersecurity processes as well. For example, the authors found that none of the devices has been subjected to a professional penetration test, leading them to conclude that IT security management was of secondary importance to their manufacturers in the development of these devices. They also found that relevant aids such as BSI's recommendations on cybersecurity requirements for network-capable medical devices (only in German) were not taken into account to an adequate extent. In the end, the authors determined that "the voluntarily achieved level of security offers inadequate security in broad areas" and pleaded for stricter regulations, including concrete cybersecurity requirements.

The ManiMed project

In the "ManiMed" project, a total of ten network-capable medical devices from five different product categories were subjected to an in-depth cybersecurity analysis. As the final project report impressively demonstrates, more than 150 vulnerabilities were reported to the manufacturers in the course of this project. The project found that the accompanying infrastructure for these devices was vulnerable. Accordingly, manufacturers which are interested in improving or evaluating their cybersecurity should pay particular attention to this aspect. The authors also found that "the IT security situation varies sharply from manufacturer to manufacturer and depends on the maturity of each manufacturer." The decisive factors for raising the level of cybersecurity for medical devices, according to the authors, are concrete legal requirements and greater motivation on the part of manufacturer for proactively confronting cybersecurity challenges.

Recommendations and guidance for manufacturers

Manufacturers of medical devices, network-capable nursing devices and digital health care apps should use the findings of this study to examine their own processes and uncover possible error sources so as to avoid errors. They should pay attention to the applicable legal obligations in the sphere of cybersecurity and relating to the handling of vulnerabilities so as to avoid avoidable liability risks. In particular, reference should be made in this regard to Annex I No. 17.2 of the MDR, which specifically requires "state-of-the-art" software development with regard to IT security as well. Accordingly, manufacturers are required to define requirements for the measures to be taken by operators with regard to IT security. If they fail to do so, the manufacturers may be liable in the event of damages.

In addition to the aforementioned guidance from the CyberMed expert group, concrete recommendations for how to implement the IT security requirements defined in the MDR (PDF) (and later on in the In-Vitro Diagnostics Regulation, or VDR) are also provided by the Medical Device Coordination Group (MDCG) in its Guidance on Cybersecurity for medical devices. It may also be helpful to examine the recommendation from the Interest Group of Notified Bodies (IG-NB) (PDF only in German). This document raises important questions in connection with the assessment of IT security for medical devices and includes references to key laws and standards. Additional information can be found in the FDA Cybersecurity Guidance documents as well.

By paying attention to and proactively confronting the relevant legal requirements and guidance documents over the entire life cycle of the device, from development and design through product surveillance in the field, manufacturers will be able to adequately account for both the preventive aspects of cybersecurity and, to an increasing extent, relevant reactive aspects as well.

[January 2021]