Cybersecurity risk management for medical devices

We receive many questions about cybersecurity. The complexity of the topic is challenging for manufacturers of medical devices. But this is exactly where we offer our help: we support manufacturers to extend their existing risk management by the necessary cybersecurity aspects according to our "ARGOS" approach. ARGOS makes it possible to efficiently implement requirements in customized processes. 

Why is cybersecurity important for every medical device manufacturer? 

Incidents such as the loss of data or the predatory extortion through the encryption of mass storage devices are omnipresent in the current daily press. Both by the choice of attack targets and by the scale and scope, they are a serious concern. After all, once an attack has been successfully carried out, damage limitation - if at all - is only possible with considerable expenditure of time and money. 

In medical technology, it is not just the theft or disclosure of data (such as patient or treatment data) that poses a risk. The failure of diagnostics or treatment due to cyber attacks must also be considered. 

In addition, the European Medical Device Regulation (MDR) requires information security considerations (see, among others, (EU) 2017/745, Annex I - Essential Safety and Performance Requirements, 17.2. and 17.4.). 

Our common goal must therefore be to thwart such attacks in advance so that they cannot succeed in the first place. 

Today, we will show you our implementation of an advanced risk management system that meets these requirements: ARGOS - Advancing Risk-Management and Governance On the basis of Security. 

Motives for attack: Assets

Every product has goods worth protecting, so-called "assets". These assets can be "virtual goods" (such as patient and treatment data) or other properties worth protecting (such as the setting of security-relevant parameters). In short, it is these assets that the attacker is targeting, because he wants to gain access to them. The first priority is therefore to work with you to systematically identify these assets. 

Every product has interfaces to its environment. 

The attacker uses these interfaces of the product to gain access to the goods worth protecting. 

Obvious for security considerations are interfaces such as data interfaces, which serve the exchange of information between devices or device parts. But other interfaces that may not be so obvious are relevant to our considerations, such as interfaces for interacting with the user. Therefore, once we have identified the assets, we work with you to determine the interfaces through which any attacks may take place. 

The product in its environment

Operating environment (zone) 

A medical device is always operated in an environment ("zone"). One such zone could be the "open" Internet, where anyone can access the medical device or the interfaces described above at any time. A completely different zone would be the operation of the device within a controlled environment that is accessible only after authentication, for example, within an access-protected area in a hospital. The characteristics of this environment need to be considered and examined in detail, which we also do in dialog with you. Each environment has its own threats, which we systematically identify (threat modeling). 

Threats 

The identification and modeling of attack scenarios is called "Threat Modeling". For this purpose, we use the knowledge gained so far (assets, interfaces, environment) for a targeted approach, for example based on the "STRIDE" approach. 

Spoofing - identity obfuscation 

Tampering - manipulation 

Repudiation - denial 

Information disclosure - violation of privacy or data breach 

Denial of Service - denial of service 

Elevation of privilege 

Each point is applied to each interface or asset. 

Example "Tampering": 

• Can the "examination report" asset be tampered with? For example, wrong patient / incorrect diagnosis / ... ? 
• Can the interface XYZ be manipulated? To control the product and trigger unwanted movements that lead to patient danger? 

Advanced risk management 

Once the threats have been identified and analyzed, measures can be taken against them. Since the threats have been systematically analyzed, risk management is efficient and targeted. 

The system is adequately hardened and it has the ability to protect itself against attacks ("security capabilities"). 

As in "classic" risk management, the measures take effect at different levels. "Cybersecurity" describes information security requirements that extend far beyond "conventional" computer and network security. 

Implementation 

We help you to integrate the described cybersecurity management into your risk management. Together we establish fast, simple and user-friendly procedures with which you can independently examine your product not only for physical hazards in terms of operational safety, but also for weak points in information security and minimize the identified risks through adequate measures. 

Because: the analysis of information security is a necessary part of the technical documentation for the approval and operation of your medical device! 

Contact us. We will accompany you during the implementation and support you in all questions.