BAYOOMED
  • Portfolio
    • Solutions
      • Mobile Medical Apps
      • Connectivity
      • Cloud based Solutions
      • Desktop and Web Solutions
      • Artificial Intelligence
      • Cybersecurity
      • Agile Software Development
      • Verification and Validation
    • Product Launch
      • Digital Health Applications (DiGA)
      • BAYOOCARE
    • Support
      • Regulatory Support
      • Risk Management
      • Clinical Evaluation
      • Quality Management
      • Usability Engineering
      • Approval
      • Classification
      • Post-Market Surveillance
  • Medical Software
    • Product Development
      • Requirements Management
      • Software Architecture
      • Software Engineering
      • Embedded Software
      • Verification and Validation
  • About Us
    • About BAYOOMED
      • Team
      • Certification (ISO 13485 Certificate)
      • Medical Device Experts
    • About BAYOONET
      • BAYOOSOFT
      • BAYOOTEC
      • BAYOOCARE
    • Success Stories
  • News
  • Jobs and Career
  • Search
  • Menu

Cybersecurity requirements for network-enabled medical devices

Digitalisation and the associated trend towards networking is also an important topic for medical devices. The fast and convenient exchange of information is beneficial, for example, when analysing the state of health of patients and can increase the quality of treatment.

These medical devices are used in areas that are considered safety-critical for patients. In addition, the transmitted data is considered to be particularly worthy of protection on the basis of the German Data Protection Act (DSVGO). Not least with regard to audit procedures, it is important for manufacturers to pay special attention to cybersecurity. Accordingly, questions about cyber security requirements for network-enabled medical devices and their protection are important topics.

Such protection includes not only technical but also organisational measures. We give you an overview of both areas and present important points.

by Sebastian Wittor

Organisational Measurements

Organisational measures describe protective measures that are implemented through instructions for action, procedures and approaches. They serve to avoid potential attack opportunities and describe processes for dealing with vulnerabilities that have become known.

Cybersecurity risk analysis

In order to fulfil the basic requirements of the currently valid directives for medical devices, a risk analysis must be prepared as part of the conformity assessment procedure. The risks identified there, which also include cybersecurity, are analysed, minimised and documented. The risk analysis is a continuous process in which new potential attack vectors are identified in the course of development and how to deal with them is regulated. The goal is to minimise the probability of occurrence of security risks and to reduce their impact on patients and medical devices.

Life cycle of the medical device

Cybersecurity plays an important role in the life cycle of a medical device. Right at the beginning of the planning and development of such a product, essential questions are asked about the software development process. This includes the decision on specifications for secure implementation, the selection of trustworthy development tools and the implementation of control mechanisms, which can be done through test sections (security gates) and system tests.

The life cycle also regulates the handling of security-relevant questions after the product release with regard to product maintenance and vulnerabilities that have become known. Relevant here are processes for the detection of new potential attack vectors, for regular checks for vulnerabilities that have become known, and all external subcomponents used and questions about the product’s update policy.

Communication of vulnerabilities

In addition to dealing with vulnerabilities that have become known, it is also necessary to define how to communicate about them. This includes the establishment of communication channels, among other things for the notification of detected vulnerabilities, the open communication of these vulnerabilities to users and the creation of contact possibilities for cybersecurity-relevant questions.

Technical Measurements

Technical measures are all software- and hardware-based, implementable protective measures to secure the medical device against attacks by third parties. They deal with specific potential attack vectors and protect the medical device against them.

Securing network communication

The biggest attack vector for network-enabled medical devices is an attack on the communication channels and the associated data exchange and processing. In this case, an attacker has the possibility to read or manipulate this data. To secure communication, an analysis is first necessary. Based on this, the planning and technical implementation of the data transmission takes place. Taking into account current protective measures and cryptographic procedures, the data should be secured on the basis of the protection goals.

Preventing the disclosure of information

In addition to the protection of data transmission, the protection of the medical device including the host system must also be taken into account. System-based vulnerabilities enable attackers to obtain information about the communication and the security features used, which can be used to attack this network connection.

Detection of attacks

Despite the use of current security standards and their conscientious implementation, potential attacks on unknown vulnerabilities cannot be ruled out. Therefore, the implementation of a system to detect potential attacks is recommended. It analyses the use of the medical device and its communication channels. Based on this data, it also detects irregularities that could indicate an attack. In addition to detection, this also serves to understand the course of an attack and its attack vector in order to be able to initiate concrete countermeasures based on this.

Ensuring basic functionality

Medical devices should ensure their basic functionality even without an active network connection or in the event of a potential attack. The highest protection goal, and thus central to cybersecurity issues, is to safeguard the health of patients.

Analysis for securing network communication

The most important questions at a glance

  • Which communication channel is used (Bluetooth, network, Internet, ...)?

  • What data is transmitted?

  • What is the transmitting direction of the data and signal flows?

  • What effects can transferred data have on the target system and what risks can arise from this for patients, users or third parties?

Is this all new territory for you? We would be happy to analyse your products, establish cybersecurity risk management in your company or train colleagues in the development department. Please feel welcome to contact us.

Contact
Interesting, isn’t it? Why not share the article with others who are interested?
  • Share on Facebook
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail

News

  • Women at BAYOOMEDGrowing Femtech: How Apps like MyIUS effect a change20. December 2022 - 14:53
  • Banner der HIMSS 2022Meet us at HIMSS 2022 in Helsinki10. June 2022 - 18:29
  • Eine Frau und ein Mann sitzen mit dem Tablet und Notizblock in der HandBAYOOMED @TT SDC in Brussels10. May 2022 - 12:26
Your contact at BAYOOMED

Miriam Schulze
CEO
miriam.schulze@bayoo.net

Darmstadt
Europaplatz 5
64293 Darmstadt

Munich
Aidenbachstraße 54
81379 München

Berlin 
Mariendorfer Damm 1-3
12099 Berlin

Contact:

Phone: +49 (0) 6151 – 86 18 – 0
Fax: +49 (0) 6151 – 86 18 – 150

E-mail: info@bayoo.net
Support: support@bayoo.net
Jobs: jobs@bayoo.net
Press: presse@bayoo.net

© Copyright - BAYOOMED
  • Contact
  • BAYOONET AG
  • Data Protection Policy
  • Imprint
  • Kontakt
  • BAYOONET AG
AI in medical devices – a regulatory perspective Quality of life per app – Remote control for the mylife YpsoPump
Scroll to top