Cybersecurity deals with all aspects of security in information and communication technology. Cybersecurity has also become an important topic in the healthcare sector and in medical technology in particular. We spoke to VDE Senior Expert Hans Wenner to find out where the biggest challenges lie in terms of cybersecurity and how cyber risks can be minimized.
Mr. Wenner, why has cybersecurity also become an important topic in medical technology?
This is mainly due to the technological development of medical technology. Software is playing an increasingly important role. There are practically no medical electrical devices that do not have software. And then there is the software itself, i.e. medical apps of all kinds. And where there is software, it can also be compromised. In addition, medical devices are increasingly networked with each other, with the internet or, for example, with the hospital information system. This naturally makes hackers happy.
How do you assess the current threat situation?
I follow the assessment of the current BSI situation report 2021: critical. You only have to open the newspaper to quickly find a report about a hacked hospital, a hacked authority and the like. The impact on care and the damage are considerable. The KBV recently appealed to doctors and psychotherapists in private practice to take IT security seriously. After all, practices are also under threat from hackers. According to the BSI situation report 2021, cybercriminal extortion methods have increased overall. Up to half a million new malware variants were recorded every day! The quality of attacks has also increased. The good news is that targeted hacker attacks on individual medical devices do not play such a major role. Cyber criminals are targeting the healthcare infrastructure as a whole, which includes medical devices. And here the threat situation is global and fast-moving.
What cybersecurity problems can be expected with medical devices?
As most cyber attacks take place via network interfaces, the OWASP Top 10 helps with security analysis. It lists the ten most common categories of vulnerabilities in web applications. In the current list (as of 2021), targeted manipulation of access rights is in first place. In 2nd and 3rd place are inadequate or missing data encryption and the injection of malicious code. Also noteworthy is the "newcomer" in 4th place: risks associated with design and architecture errors! This can be countered by effective threat modeling, secure design patterns and reference architectures as early as the development stage. The CWE Top 25 Most Dangerous Software Weaknesses goes into even more technical detail in software development. This is a list of the most frequent and most serious problems that have occurred in the past two calendar years.
These overviews list vulnerabilities that are often easy to find and exploit, which further increases the threat scenario. However, they are only an introduction to security analysis, as safety, i.e. operational safety, and security, i.e. information security, are linked in medical technology.In order for a manufacturer to identify specific cybersecurity problems, they need to carry out a targeted analysis.And this includes the effects on both safety and security. This goes beyond a mere listing - as is the case with pentests, for example.
How do manufacturers deal with this problem?
It varies. Software-savvy manufacturers and those who process large volumes of personal data are aware of the problem and pursue a security-by-design approach, i.e. they design their devices and systems from the outset in such a way that they offer as few possible gateways for attacks as possible. This type of prevention is certainly the best security approach! And then, of course, there are many other measures that can be taken to harden systems against attacks and reduce risks. The problem I see is that many manufacturers still take cyber risks too lightly, despite the real threat situation. This is due to the fact that medical technology is hardware-dominated and software is often only seen as an add-on. And too often people act according to the Sankt Florian principle, assuming that they themselves are not affected, but only the others. In view of the real threat situation, however, this is a dangerous assessment.
And what does the legislator say? Do we have sufficient safety requirements?
A lot has happened in recent years. No wonder, given the threat situation. As far as infrastructure is concerned, this is primarily the Kritis Regulation, which also classifies parts of healthcare as critical infrastructure. The relevant facilities, i.e. larger hospitals, manufacturers of certain medical devices, etc., must then meet certain security requirements. However, the requirements for medical devices themselves have also increased significantly as a result of the European Medical Device Regulation (MDR). Medical devices must now be designed and manufactured in such a way that risks, including cyber risks, are reduced as far as possible. There are now a large number of rules, recommendations, detailed requirements and certificates. This is to be welcomed in itself, but the problem is the abundance of rules, some of which are difficult to interpret and implement in practice and then also encounter a changing and fast-moving threat situation. This simply overwhelms many small and medium-sized companies.
What do you recommend to reduce cyber risks as much as possible?
As already mentioned, a manufacturer must carry out a specific risk analysis for its medical device in order to identify which specific cyber risks exist and how it can minimize them.
There is no shortage of tools for finding vulnerabilities - such as pentests - especially if existing products are to be analyzed. However, it is much quicker and more cost-effective to identify and eliminate these weak points in advance.
This is where our systematic VDE approach ARGOS comes in, which successively determines which assets worthy of protection are exposed to a potential cyber attack, the mechanisms through which such attacks could take place, the resulting damage - both in terms of safety and security - and how manufacturers and operators can protect themselves against them. This system is innovative in this sequence, as it combines safety and security. Exactly what is a basic requirement in medical technology. ARGOS is also based on the relevant standard for risk management, and the procedure has been established with manufacturers for years. The learning and implementation effort is therefore low.
And another look into the crystal ball: what about security in the networked healthcare of tomorrow?
I think it will be important to understand cybersecurity as a fundamental security requirement for software, a device or a system and then to develop measures to protect it as efficiently as possible. To do this, you have to engage in a constant technological race, because attackers are constantly evolving. The question is how cybersecurity needs to evolve in technical and regulatory terms so that new technologies can be countered. I am thinking here, for example, of the quantum computer, which would make our current cryptographic processes obsolete. Cybersecurity is therefore a continuous process that will be a normal part of a company in the future, just like current processes.
Thank you for the interview!
