Publi­ca­ti­on of BSI stu­dy on cyber­se­cu­ri­ty in medi­cal devices

As the health care indus­try beco­mes incre­asing­ly digi­ti­zed and inter­con­nec­ted, the importance of cyber­se­cu­ri­ty is gro­wing as well, and reco­gni­ti­on of this aspect is found in the new Euro­pean regu­la­ti­ons for medi­cal devices. In prac­ti­ce, howe­ver, we are con­stant­ly see­ing network-capable medi­cal, IoT and elder care pro­ducts with weak points. If the­se weak points are exploi­ted by cyber­cri­mi­nals, pati­ents’ lives and health may soon be in jeo­par­dy. For this reason, the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) is devo­ting an incre­asing amount of atten­ti­on to this issue (only in Ger­man) and has laun­ched seve­ral pro­jects to exami­ne cyber­se­cu­ri­ty in the health care indus­try. The fin­dings (only in Ger­man) from two of the­se pro­jects, the “Mani­Med: mani­pu­la­ti­on of medi­cal devices” and “eCa­re: digi­tiza­ti­on in care,” have now been published.

The eCa­re project

In the cour­se of the “eCa­re” pro­ject, a total of six network-capable nur­sing devices which are curr­ent­ly available on the mar­ket were exami­ned from the view­point of cyber­se­cu­ri­ty. After eva­lua­ting the pro­ject, the aut­hors of the stu­dy con­cluded that “the level of IT secu­ri­ty we found can be descri­bed as poor to very poor” (PDF). The aut­hors’ cri­ti­cism is not limi­t­ed to the fact that all of the exami­na­ti­ons unco­ver­ed mode­ra­te to seve­re vul­nerabi­li­ties: their assess­ment included cyber­se­cu­ri­ty pro­ces­ses as well. For exam­p­le, the aut­hors found that none of the devices has been sub­jec­ted to a pro­fes­sio­nal pene­tra­ti­on test, lea­ding them to con­clude that IT secu­ri­ty manage­ment was of secon­da­ry importance to their manu­fac­tu­r­ers in the deve­lo­p­ment of the­se devices. They also found that rele­vant aids such as BSI’s recom­men­da­ti­ons on cyber­se­cu­ri­ty requi­re­ments for network-capable medi­cal devices (only in Ger­man) were not taken into account to an ade­qua­te ext­ent. In the end, the aut­hors deter­mi­ned that “the vol­un­t­a­ri­ly achie­ved level of secu­ri­ty offers ina­de­qua­te secu­ri­ty in broad are­as” and plea­ded for stric­ter regu­la­ti­ons, inclu­ding con­cre­te cyber­se­cu­ri­ty requirements.

The Mani­Med project

In the “Mani­Med” pro­ject, a total of ten network-capable medi­cal devices from five dif­fe­rent pro­duct cate­go­ries were sub­jec­ted to an in-depth cyber­se­cu­ri­ty ana­ly­sis. As the final pro­ject report impres­si­ve­ly demons­tra­tes, more than 150 vul­nerabi­li­ties were repor­ted to the manu­fac­tu­r­ers in the cour­se of this pro­ject. The pro­ject found that the accom­pany­ing infra­struc­tu­re for the­se devices was vul­nerable. Accor­din­gly, manu­fac­tu­r­ers which are inte­res­ted in impro­ving or eva­lua­ting their cyber­se­cu­ri­ty should pay par­ti­cu­lar atten­ti­on to this aspect. The aut­hors also found that “the IT secu­ri­ty situa­ti­on varies shar­ply from manu­fac­tu­rer to manu­fac­tu­rer and depends on the matu­ri­ty of each manu­fac­tu­rer.” The decisi­ve fac­tors for rai­sing the level of cyber­se­cu­ri­ty for medi­cal devices, accor­ding to the aut­hors, are con­cre­te legal requi­re­ments and grea­ter moti­va­ti­on on the part of manu­fac­tu­rer for proac­tively con­fron­ting cyber­se­cu­ri­ty challenges.

Recom­men­da­ti­ons and gui­dance for manufacturers

Manu­fac­tu­r­ers of medi­cal devices, network-capable nur­sing devices and digi­tal health care apps should use the fin­dings of this stu­dy to exami­ne their own pro­ces­ses and unco­ver pos­si­ble error sources so as to avo­id errors. They should pay atten­ti­on to the appli­ca­ble legal obli­ga­ti­ons in the sphe­re of cyber­se­cu­ri­ty and rela­ting to the hand­ling of vul­nerabi­li­ties so as to avo­id avo­ida­ble lia­bi­li­ty risks. In par­ti­cu­lar, refe­rence should be made in this regard to Annex I No. 17.2 of the MDR, which spe­ci­fi­cal­ly requi­res “state-of-the-art” soft­ware deve­lo­p­ment with regard to IT secu­ri­ty as well. Accor­din­gly, manu­fac­tu­r­ers are requi­red to defi­ne requi­re­ments for the mea­su­res to be taken by ope­ra­tors with regard to IT secu­ri­ty. If they fail to do so, the manu­fac­tu­r­ers may be lia­ble in the event of damages.

In addi­ti­on to the afo­re­men­tio­ned gui­dance from the Cyber­Med expert group, con­cre­te recom­men­da­ti­ons for how to imple­ment the IT secu­ri­ty requi­re­ments defi­ned in the MDR (PDF) (and later on in the In-Vitro Dia­gno­stics Regu­la­ti­on, or VDR) are also pro­vi­ded by the Medi­cal Device Coor­di­na­ti­on Group (MDCG) in its Gui­dance on Cyber­se­cu­ri­ty for medi­cal devices. It may also be hel­pful to exami­ne the recom­men­da­ti­on from the Inte­rest Group of Noti­fied Bodies (IG-NB) (PDF only in Ger­man). This docu­ment rai­ses important ques­ti­ons in con­nec­tion with the assess­ment of IT secu­ri­ty for medi­cal devices and includes refe­ren­ces to key laws and stan­dards. Addi­tio­nal infor­ma­ti­on can be found in the FDA Cyber­se­cu­ri­ty Gui­dance docu­ments as well.

By pay­ing atten­ti­on to and proac­tively con­fron­ting the rele­vant legal requi­re­ments and gui­dance docu­ments over the enti­re life cycle of the device, from deve­lo­p­ment and design through pro­duct sur­veil­lan­ce in the field, manu­fac­tu­r­ers will be able to ade­qua­te­ly account for both the pre­ven­ti­ve aspects of cyber­se­cu­ri­ty and, to an incre­asing ext­ent, rele­vant reac­ti­ve aspects as well.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.