Cybersecurity requirements for network-enabled medical devices
Digitalisation and the associated trend towards networking is also an important topic for medical devices. The fast and convenient exchange of information is beneficial, for example, when analysing the state of health of patients and can increase the quality of treatment.
These medical devices are used in areas that are considered safety-critical for patients. In addition, the transmitted data is considered to be particularly worthy of protection on the basis of the German Data Protection Act (DSVGO). Not least with regard to audit procedures, it is important for manufacturers to pay special attention to cybersecurity. Accordingly, questions about cyber security requirements for network-enabled medical devices and their protection are important topics.
Such protection includes not only technical but also organisational measures. We give you an overview of both areas and present important points.
by Sebastian Wittor
Technical measures are all software- and hardware-based, implementable protective measures to secure the medical device against attacks by third parties. They deal with specific potential attack vectors and protect the medical device against them.
Securing network communication
The biggest attack vector for network-enabled medical devices is an attack on the communication channels and the associated data exchange and processing. In this case, an attacker has the possibility to read or manipulate this data. To secure communication, an analysis is first necessary. Based on this, the planning and technical implementation of the data transmission takes place. Taking into account current protective measures and cryptographic procedures, the data should be secured on the basis of the protection goals.
Preventing the disclosure of information
In addition to the protection of data transmission, the protection of the medical device including the host system must also be taken into account. System-based vulnerabilities enable attackers to obtain information about the communication and the security features used, which can be used to attack this network connection.
Detection of attacks
Despite the use of current security standards and their conscientious implementation, potential attacks on unknown vulnerabilities cannot be ruled out. Therefore, the implementation of a system to detect potential attacks is recommended. It analyses the use of the medical device and its communication channels. Based on this data, it also detects irregularities that could indicate an attack. In addition to detection, this also serves to understand the course of an attack and its attack vector in order to be able to initiate concrete countermeasures based on this.
Ensuring basic functionality
Medical devices should ensure their basic functionality even without an active network connection or in the event of a potential attack. The highest protection goal, and thus central to cybersecurity issues, is to safeguard the health of patients.
Analysis for securing network communication
The most important questions at a glance