Does a Vulnerability Scan, Fuzz Testing and Penetration Test That Do Not Reveal Any Findings Indicate That My Medical Device Is Secure?

No, the lack of findings does not indicate that the device is secure. The device might be secure with respect of vulnerabilities that have been part of the security test at a specific point in time. Keep in mind that the security situation for software may change rapidly due to newly emerging security vulnerabilities, or due to new attack vectors.

Is There a Law That Requires a Vulnerability Scan to Be Conducted?

No, there are no laws that requires it to be conducted. However, dedicated security guidance such as the FDA guidance on content of premarket submission for cybersecurity in medical devices and European MDCG 2019-16 guidance and standards such as IEC 81001-5-1 indicate that such a scan must be considered. This means that you should have good arguments in the event you decide to skip it. The same applies for penetration tests.

Do I Have to Repeat a Vulnerability Scan Or Penetration Test After Each Software Change?

You must consider security related tests regarding to the change as well as regression tests which show that your change did not have a negative effect on the cybersecurity of your device. In many cases, a vulnerability scan or penetration test should be repeated; at least partly.

Can I Conduct The Vulnerability Scan and Penetration Test On My Own?

Yes, you can conduct these tests on your own but you need to have the appropriate competences within your organization. Nonetheless, it helps to have a second pair of eyes on your devices.

Why Should I Use a 3rd Party For a Cybersecurity Assessment?

The most important argument for a 3rd party assessment is the impartiality of the 3rd party provider. Depending on the provider you choose; you may also benefit from a provider that has a broader knowledge. In case of cybersecurity testing the medical device specific knowledge and expertise of the 3rd party-provider should be ensured, preferably by accreditation according to a medical device standard such as IEC 60601-4-5. Products having tests conducted by accredited laboratories would provide a higher level of assurance for the industry in addition to ensuring the harmonization of test categories based on risks.

Cybersecurity Requirements for Medical Devices

Protect your Medical Devices from Cyberattacks

Cyberattacks against critical systems and equipment, including medical devices, are frequent in today's highly connected world. The number of cyberattacks worldwide is expected to double by 2025.1

The issue of cybersecurity is a particular concern for several industries, including the medical device industry. Quality healthcare depends on secure access to advanced medical technologies that use software and communications protocols to actively exchange vital patient information with other medical systems and devices. Cyber breaches impacting medical devices put the safety of individual patients at risk and severely compromise the quality of healthcare for people worldwide.

White Paper: 81001-5-1 & Medical Device Cybersecurity

The Importance of Cybersecurity for Medical devices

There are regulatory, ethical and financial reasons why cybersecurity must be considered and ensured in medical devices, IVDs and their accessories. For example:

Compliance to regulatory requirements are the prerequisite to access the medical device markets in all major regions such as USA, EU, China, Australia and UK. Among those are the European medical device regulation (MDR) and In Vitro Diagnostics Medical Device Regulation (IVDR), which defines several cybersecurity requirements in annex I of the regulation under the “general safety and performance requirements”. The United States Food and Drugs Administration (FDA) on the other hand provides guidance documents, such as the “Postmarket Management of Cybersecurity in Medical Devices”, which explains how to fulfil the respective cybersecurity requirements.

Unauthorized Access to a medical device might lead to severe consequences. Attacks against a medical device can put at risk the safety of the patient, with fatal consequences in certain cases. If cybersecurity risks are not effectively minimized or managed, it could potentially result in patient harm such as injury or death, for instance by intentional malfunction of a medical device or its unavailability and delayed treatment.
Connected Medical Devices bring new opportunities to medical devices, however, they also rise data privacy challenges in light of the global data protection regulations. These devices store and transmit very sensitive medical information that requires protection, as dictated by the European (GDPR), US (e.g. CFR 164.312) or UK (DPA18) laws and provisions.
Breaches could lead to expensive vigilance activities and field safety actions; negative publicity can damage trust and cost millions in regulatory penalties

Device manufacturers and health organizations that use unsecure technology and fail to guarantee the cyber security of their medical devices pay heavy penalties, both financially and in terms of their reputation.

Cybersecurity for Medical Devices Within an IoT System

Our services to test and assess the cybersecurity of medical devices

For decades, TÜV SÜD has been at the forefront of efforts to comply with regulatory requirements and standards applicable to medical devices. Our testing laboratories offer a comprehensive range of testing and other services to fully assess the security of your devices and health software against cyber threats.

Our testing labs offer a comprehensive range of services to test and assess the cybersecurity of your medical devices.

These Include:

Cybersecurity Trainings
Trainings are provided to bring awareness and understanding of cybersecurity in medical devices. The objective of the training is to understand requirements defined in regulatory frameworks such as:
- European requirements such as MDCG 2019-16
- US FDA requirements such as
  - FDA QSR
  - Pre-Market Management of Cybersecurity
  - Post-Market Management of Cybersecurity
  - Cybersecurity for networked medical devices
- Chinese NMPA
- On Demand trainings for local frameworks such as Japanese, Singaporean, Brazil and Korean
Furthermore, trainings can be provided to understand the implementation of Cybersecurity in medical devices according to international standards such as:
- IEC TR 60601-4-5 Medical device Cybersecurity
- ISO 14971:2019 Medical device Risk Management
- ISO 62443-3-2 Security for industrial automation
Concept evaluations
The concept evaluations aim to identify cybersecurity GAPs by assessing against international/harmonized standards, cybersecurity state-of-the art and regulatory requirements such as:
- IEC TR 60601-4-5 Medical device Cybersecurity
- IEC 81001-5-1 Security - Activities in the product life cycle
- ISO 62443-3-2 Security for industrial automation
- MDCG 2019-16 Medical device cybersecurity
- Pre-Market Management of Cybersecurity
- Post-Market Management of Cybersecurity
- Cybersecurity for networked medical devices
Vulnerability Scans / Assessment and Static / dynamic code analysis
The objective of vulnerability scans is to identify and detect known weaknesses in computers, networks or applications (programs). The aim is to perform remediation activities once critical vulnerabilities are identified by the manufacturer. The benefit of this approach is to close Vulnerability Gaps and maintain strong security in medical devices

The services include:
- Vulnerability scans (e.g., Network scanning, Web-Application Scanning, Firmware/software scanning) with documentation and grading of the identified vulnerabilities in a vulnerability assessment report.
- Static and dynamic code analysis including a dedicated test report with grading of the vulnerabilities
Penetration Tests and fuzz testing
The objective of a penetration test is to simulate a cyber attack to evaluate the security status of the medical device/software. The aim is to identify unknown weaknesses found during manual tests. Test report results can be used as an objective evidence for the effectiveness of cybersecurity in a medical device (similar to a 60601-1 report being used as an objective evidence for the safety of a medical device).

The services include:
- Penetration tests at TÜV Süd are performed according to the best practice from all major frameworks (such as OSSTM, PTES, NIST 800-115, ISSAF and OWSAP)
- Penetration testing and fuzz testing are performed under DAkkS accreditation for medical device cybersecurity according to IEC/TR 60601-4-5 considering the basic safety and essential performance of a medical device.
- Identification of extra testing requirements not covered by the standards listed above
- Development of product-specific testing methods
- Assessment of provider-specific security solutions

FREQUENTLY ASKED QUESTIONS ABOUT CYBERSECURITY FOR MEDICAL DEVICES

Does a Vulnerability Scan, Fuzz Testing and Penetration Test That Do Not Reveal Any Findings Indicate That My Medical Device Is Secure?

No, the lack of findings does not indicate that the device is secure. The device might be secure with respect of vulnerabilities that have been part of the security test at a specific point in time. Keep in mind that the security situation for software may change rapidly due to newly emerging security vulnerabilities, or due to new attack vectors.
Is There a Law That Requires a Vulnerability Scan to Be Conducted?

No, there are no laws that requires it to be conducted. However, dedicated security guidance such as the FDA guidance on content of premarket submission for cybersecurity in medical devices and European MDCG 2019-16 guidance and standards such as IEC 81001-5-1 indicate that such a scan must be considered. This means that you should have good arguments in the event you decide to skip it. The same applies for penetration tests.
Do I Have to Repeat a Vulnerability Scan Or Penetration Test After Each Software Change?

You must consider security related tests regarding to the change as well as regression tests which show that your change did not have a negative effect on the cybersecurity of your device. In many cases, a vulnerability scan or penetration test should be repeated; at least partly.
Can I Conduct The Vulnerability Scan and Penetration Test On My Own?

Yes, you can conduct these tests on your own but you need to have the appropriate competences within your organization. Nonetheless, it helps to have a second pair of eyes on your devices.
Why Should I Use a 3rd Party For a Cybersecurity Assessment?

The most important argument for a 3rd party assessment is the impartiality of the 3rd party provider. Depending on the provider you choose; you may also benefit from a provider that has a broader knowledge. In case of cybersecurity testing the medical device specific knowledge and expertise of the 3rd party-provider should be ensured, preferably by accreditation according to a medical device standard such as IEC 60601-4-5. Products having tests conducted by accredited laboratories would provide a higher level of assurance for the industry in addition to ensuring the harmonization of test categories based on risks.