Cyber security check list for secure medical devices

In the ever-evolving landscape of healthcare technology, the importance of cyber security has taken center stage. With a slew of regulatory developments and emerging threats, it is crucial for both existing and potential players in the industry to be well-versed in the cyber security domain.

Cyber-secure medical device in the hospital

European Union (EU): Medical Device Regulation (MDR) and ISO 81001-5-1

The EU’s Medical Device Regulation (MDR) is making big changes to how we think about cyber security for medical devices. A significant shift is coming in 2024 with the harmonization of ISO 81001-5-1, and it is not just a small adjustment – it is a strong move to make medical devices more resilient against new cyber threats.

Portrait of Joachim Wilke, Cyber Security Specialist Healthcare, ITK Engineering

Even in 2023, we observed a growing trend among our customers, noting an increased focus and scrutiny during audits. Manufacturers should be ready for closer inspections. Paying attention to things like threat and risk analysis, security by design and keeping a detailed Software Bill of Materials (SBOM) is not just about following rules; it’s about proactively integrating cyber security into the entire development process.

Dr. Joachim Wilke, Cyber Security Specialist Healthcare, ITK Engineering
Hospital screen with lock as data security symbol

United States (US): FDA guidelines

In the United States, the FDA has been a leader in pushing for better cyber security in the medical device world. As the rules keep evolving, following FDA guidelines is not an easy part, but crucial to ensure medical devices are safe and secure.

EU Cyber Resilience Act and Network and Information Security Directive (NIS-2)

Even though the EU Cyber Resilience Act (CRA) excludes medical devices, its effects reach far and wide into the Healthcare world. It touches everything from apps to cloud services that are also part of many medical device’s ecosystems. This Act, made to boost cyber resilience in important areas, now requires such non-medical components to reach similar quality regarding cyber security activities.

At the same time, the updated Network and Information Security Directive sets a higher standard for everyone operating networked devices in its business, including hospitals and other players in the healthcare market. As a manufacturer of medical devices, one must make sure to provide customers with helpful documentation to integrate medical devices in the customer’s network without putting cyber security at risk.

The regulatory shifts outlined above in combination with upcoming EU regulations not directly targeting medical products, make certain activities mandatory for Healthcare companies either developing a medical product or not, in the regulatory sense.

Cyber security check list

Mandatory activities

  • Threat and Risk Analysis: Utilize methods such as STRIDE and the Common Vulnerability Scoring System (CVSS) metric.
  • Security by Design: Integrate cyber security measures into the development process.
  • Software Bill of Materials (SBOM): Maintain an inventory of software components.
  • CVE Analyses: Regularly assess vulnerabilities, at least on a yearly basis, based on the SBOM.
  • Independent Pentests: Conduct thorough penetration tests by external entities.

Additional activities

  • GDPR Readiness: Inspect your product for GDPR compliance, to make sure data protection rules are followed.
  • Product by Design: Review your product for only using data that is absolutely required for your use cases.
  • Improved Security Concept: Optimize your security concepts to reduce attack vectors, wherever possible.
  • Enhanced Vulnerability Management: Regularly assess vulnerabilities, at least on a yearly basis, based on the SBOM.

Key Take Aways

Icon Cyber security lock

Cyber security in every development phase

Icon Protection Shield

Cyber security activities beyond regulatory baselines

Icon Mobile phone with cross

Check up on non-medical products

Unsolved challenges? We look forward to your inquiry.

Portrait Daniel Schifferdecker

Healthcare – Medical devices

Daniel Schifferdecker