Medical device cyber security

Undergoing tests is a critical step in the process of transforming an innovative design into a reliable and marketable product

Undergoing tests is a critical step in the process of transforming an innovative design into a reliable and marketable product

Why is the cyber security of medical devices important? 

There are regulatory, ethical and financial reasons to ensure the cyber security of medical devices and their accessories. For example:

  • If unauthorised access is gained to a medical device, there can be severe consequences. That is why it's crucial for cyber security risks to be considered both during both the development phase as in the procurement and installation of medical devices.
  • Patient privacy within the framework of the doctor-patient relationship is extremely important and could be compromised in a data breach.

Device manufacturers and health organisations that use unsecure technology and fail to guarantee the cyber security of their medical devices pay heavy penalties, both financially and in terms of their reputation.

Our services to test and assess the cyber security of medical devices

Globally, there is an increasing awareness of cyber security for medical devices from the regulatory organisations. For example, the FDA, the European Commission and Health Canada have published guidelines on how to meet cyber security regulations. These guidelines specify whether it is necessary to carry out vulnerability scans or penetration tests during the development of medical devices. It is better to implement the cyber security requirements early in the development process rather than having to include and integrate these requirements to the finished product.

We answer some of the most frequently asked questions to keep you up to date with the latest developments. 

Our testing labs offer a comprehensive range of services to test and assess the cyber security of your medical devices. These include: 

  • Cybersecurity Trainings

    Trainings are provided to bring awareness and understanding of cybersecurity in medical devices. The objective of the training is to understand requirements defined in regulatory frameworks such as:

    • European requirements such as MDCG 2019-16
    • US FDA requirements such as
      • FDA QSR
      • Pre-Market Management of Cybersecurity
      • Post-Market Management of Cybersecurity
      • Cybersecurity for networked medical devices
    • Chinese NMPA
    • On Demand trainings for local frameworks such as Japanese, Singaporean, Brazil and Korean

     Furthermore, trainings can be provided to understand the implementation of Cybersecurity in medical devices according to international standards such as:

    • IEC TR 60601-4-5 Medical device Cybersecurity
    • ISO 14971:2019 Medical device Risk Management
    • ISO 62443-3-2 Security for industrial automation

  • Concept evaluations

    The concept evaluations aim to identify cybersecurity GAPs by assessing against international/harmonized standards, cybersecurity state-of-the art and regulatory requirements such as:

    • IEC TR 60601-4-5 Medical device Cybersecurity
    • IEC 81001-5-1 Security - Activities in the product life cycle
    • ISO 62443-3-2 Security for industrial automation
    • MDCG 2019-16 Medical device cybersecurity
    • Pre-Market Management of Cybersecurity
    • Post-Market Management of Cybersecurity
    • Cybersecurity for networked medical devices

     

  • Vulnerability Scans / Assessment and Static / dynamic code analysis

    The objective of vulnerability scans is to identify and detect known weaknesses in computers, networks or applications (programs). The aim is to perform remediation activities once critical vulnerabilities are identified by the manufacturer. The benefit of this approach is to close Vulnerability Gaps and maintain strong security in medical devices 

    The services include:

    • Vulnerability scans (e.g., Network scanning, Web-Application Scanning, Firmware/software scanning) with documentation and grading of the identified vulnerabilities in a vulnerability assessment report.
    • Static and dynamic code analysis including a dedicated test report with grading of the vulnerabilities
  • Penetration Tests and fuzz testing

    The objective of a penetration test is to simulate a cyber attack to evaluate the security status of the medical device/software. The aim is to identify unknown weaknesses found during manual tests. Test report results can be used as an objective evidence for the effectiveness of cybersecurity in a medical device (similar to a 60601-1 report being used as an objective evidence for the safety of a medical device).

    The services include:

    • Penetration tests at TÜV Süd are performed according to the best practice from all major frameworks (such as OSSTM, PTES, NIST 800-115, ISSAF and OWSAP)
    • Penetration testing and fuzz testing are performed under DAkkS accreditation for medical device cybersecurity according to IEC/TR 60601-4-5 considering the basic safety and essential performance of a medical device.
    • Identification of extra testing requirements not covered by the standards listed above
    • Development of product-specific testing methods
    • Assessment of provider-specific security solutions

EXPLORE

Cyber security for medical devices
Webinar

Cyber security of medical devices

Managing the challenges and risks relating to cyber security

Learn more

New Medical Device Regulation
Infographics

The New Medical Device Regulation

On May 5th 2017, the European commission has published a new regulation for medical devices.

Learn more

The Future of Healthcare
Stories

The Future of Healthcare

Overcoming hazards in connected healthcare

Learn more

Wearable Doctors
Stories

Wearable Doctors

Transforming the way we track, manage and improve our health

Learn more

VIEW ALL RESOURCES

Next Steps

Site Selector