search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
MEDICAL & PHARMACEUTICAL INDUSTRY FOCUS


Protecting medical devices against cyber attack


Connected, remote access, medical products are a common


cyberattack target. While there are still no harmonised standards for the cybersecurity of medical devices, the FDA, EU and Health Canada are in the process of addressing this, as Richard Poate, senior manager at TÜV SÜD, explains


Wireless communication exposes patients to eavesdropping, especially by introducing vulnerability to social engineering at point of service via the patients themselves or their carers and nurses, for example


R


emote access medical devices are a growth area for healthcare


management. They are, however, vulnerable to cyberattack. Systems intended to meet legitimate needs – such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems – can be exploited for illegitimate purposes. Likewise, while new technology can grant patients the freedom to live at home while being monitored, many security assumptions are based on a hospital or clinical environment, including: • Control of local communications infrastructure (device communicates with bed stand or a local gateway)


• IT support • Native protocols (unencrypted communications, as in some 2016 pacemakers)


• Knowledge about the ease with which hardware (such as firmware flashing devices) may be procured. Consequently, in the home care


environment there may be many cybersecurity vulnerabilities within connected healthcare products due to limited encryption capabilities. Authentication mechanisms may be lacking or entirely absent, as there is no de facto standard for authentication. Wireless communication exposes patients to eavesdropping, especially by introducing vulnerability to social engineering at point


of service via the patients themselves or their carers and nurses, for example. This is where cybercriminals use psychological manipulation to trick users into making security mistakes or to give away sensitive information. However, companies often neglect their staff’s IT-security training, even though social engineering has long been a standard weapon in every cybercriminal’s arsenal.


TESTING PROCEDURES Cybersecurity must be based on a well- structured development and testing process. For example, after any software changes a vulnerability scan or penetration test should be repeated, at least partly. Manufacturers must also consider security-related tests regarding the change, as well as conduct regression tests which show that the change did not have a negative effect on the cybersecurity of the device. While manufacturers can conduct their own tests, they must have the appropriate competences within the organisation. They should therefore ensure and demonstrate that they have enough expertise to ensure IT security in line with the state of the art. This evidence is often most easily obtained through internal or external training. In this way, manufacturers can also access the expertise of external resources. While there is currently no law that


/ DESIGNSOLUTIONS


requires a vulnerability scan or penetration test to be done, most guidance documents indicate that it should be conducted. It is therefore up to designers and manufacturers to prove that they have taken appropriate actions to bring safe products onto the market, and have a good case prepared if they decide to ignore this element. When assessing risks in accordance with


Annex I of the Medical Device Regulation (MDR), it is important to include security issues in the risk assessment, even in cases where security is not stated explicitly in the Regulations’ requirements. During the risk management process, the manufacturer should foresee or evaluate the potential exploitation of those security vulnerabilities that may be a result of reasonably foreseeable misuse. The regulations now also require


manufacturers to develop and manufacture their products in accordance with the state-of-the-art (SOTA), taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access. While there are some standards and


industry guidance available globally, they are not complete and ratified, neither are they mandatory. However, these do represent a first line of defence, and as a first step designers and manufacturers should think ‘Secure by design’ and take a proactive approach to cybersecurity, recognising that attacks are ‘when not if’. It is also vital to keep up to date with standards and regulations to ensure that they are working to the SOTA. While digitisation and increasing


connectivity bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cybercrime. Security that is tolerant of implant, wearable, mobile- connected, and public-network-using devices is therefore paramount. As medical devices become increasingly


connected, they also become more vulnerable to cyberattack, exposing the people who use them to hazards that did not previously exist. It is important to remember that there are no ‘bad user behaviours’, only scenarios that the designer or manufacturer has failed to identify. Neither should patients be expected to shoulder any additional burden for security as it is a manufacturer’s responsibility to ensure up to date compliance with all standards and constantly review the ‘cyber resistance’ status of devices.


TÜV SÜD www.tuvsud.com/uk


DESIGN SOLUTIONS | MARCH 2021 29


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44