cybersecurity for medical devices & ivds

Medical Device & IVDs Security Testing (Penetration Testing)

Identify cybersecurity vulnerabilities and ensure compliance with global regulations

Identify cybersecurity vulnerabilities and ensure compliance with global regulations

Security testing challenges

Compliance to medical device and IVDs cybersecurity regulatory requirements is the prerequisite to access the medical device and IVDs markets in all major regions such as USA, EU, China, Australia and UK. Independent form the regions, there is an increasing awareness of cybersecurity for medical devices and IVDs by the regulatory bodies. Consequently, they have published guidelines on how to meet cybersecurity regulations, which include the necessity to carry out vulnerability scans, penetration tests, or other security tests throughout a medical device’s or IVD medical device’s entire life cycle.

Securing a medical device or IVD medical device must therefore start during the design stage and includes:

  • A secure development life cycle process and in-depth defense strategy
  • A security risk management process
  • Tests to verify and validate security measures
  • A security post-market process

Security testing is the primary means to fulfil these verification and validation tasks. This includes vulnerability scanning, source code review, fuzz testing and medical device penetration testing. Additional tests can also be performed to identify components with known issues.

It is vital that during security testing the medical intended use is fully understood and considered. This is particularly important as security requirements often contradict the clinical performance of a medical device and IVDs. For example, a defibrillator with two-factor authentication for the shock provision would reduce the clinical performance and usability of the medical device. To successfully perform security tests on medical devices and IVDs, both a deep cybersecurity and medical understanding is therefore necessary.

 

Why is medical device and IVDs security testing important?

The growth of digital innovation has increased the attack surface of a connected medical device and IVD medical device and hence the importance of cybersecurity. It is therefore essential that manufacturers consider state of the art and relevant standards such as IEC 81001-5-1 and IEC TR 60601-4-5

It is also important to remember that security testing is a dynamic process that continues to evolve. While a device might be secure, concerning vulnerabilities that have been part of the security test at a specific point in time, this may change rapidly due to newly emerging security vulnerabilities or new attack vectors. Likewise, after software updates, a vulnerability scan or penetration test should be repeated at least partly. Security-related tests regarding changes and regression tests, that show your change did not negatively impact the cybersecurity of your device, are also vital.

 

Our services

TÜV SÜD’s medical device and IVD medical device security testing services include:

  • Vulnerability scanning - identifies known vulnerabilities in computers, networks, or applications. Once vulnerabilities have been identified, the organisation can perform remediation activities.
  • Static/dynamic code analysis - identify weaknesses and vulnerabilities, and both complement each other. Static code analysis scrutinises source code against coding rule guidelines, while dynamic code analysis tests a running program for potentially exploitable vulnerabilities by a set of known and/or malicious inputs.
  • Medical device penetration testing - simulates a real-world hacker attack against a medical device to identify vulnerabilities so that a manufacturer can improve the cyberattack resilience of their product.
  • Fuzzing - identifies implementation bugs and robustness of the software by using malformed data injection.

 

Your business benefits

Vulnerability scanning will enable you to understand the known vulnerabilities of your medical device or IVDs, so you can take action to mitigate against them. By implementing a proactive approach that closes cybersecurity gaps, you can maintain the security of your medical devices and IVDs, as mandated by the Medical Device Regulation, In Vitro Diagnostic Regulation, MDCG 2019-16, and the FDA’s cybersecurity guidance documents.

Static/dynamic code analysis enables a manufacturer to implement support for secure coding by creating an automated feedback loop in the early development stages. Prompt detection and remediation of weaknesses reduce the likelihood of changes being required in the later product development phases and minimises costs.

Fuzzing covers many vulnerabilities that might be exploited by hackers and determines if the medical device or IVD medical device can handle such unexpected inputs, as well as identifying serious defects and vulnerabilities that would be missed by human eyes. This gives assurances that a manufacturer has considered the primary technique used by hackers to identify software vulnerabilities.

Medical device penetration testing identifies previously unknown vulnerabilities in a medical device or IVDs. A report provides manufacturers with independent evidence of the effectiveness of their cybersecurity risk mitigation measures. These can be part of the technical file given to notified bodies and regulators.

 

Why choose TÜV SÜD?

TÜV SÜD has more than 20 years of experience in medical device and IVD medical device cybersecurity. Our testing laboratories, supported by a global team of over 750 healthcare and medical device testing experts, offer a comprehensive range of services to test and assess the cybersecurity of your medical devices and IVDs. We provide a one-stop solution for medical device and IVDs manufacturers, including electrical safety testing, software assessment, biocompatibility and EMC services.

As experts in IT security and data protection, we perform security tests under accreditation according to ISO/IEC 17025 and IEC TR 60601-4-5. Our teams of cyber security specialists also ensure that they remain up to date with the latest cybersecurity breaches and hacking techniques, helping you future-proof your devices.

 

Request for Medical Devices & IVDs security testing services today

EXPLORE

MDR Cybersecurity from a notified bodies perspective
Webinar

MDR/IVDR Cybersecurity from Notified Bodies Perspective

Understand the cybersecurity requirements and standards under the MDR & IVDR from a Notified Body’s perspective.

Learn More

VIEW ALL RESOURCES

Next Steps

Site Selector