Navigating the evolving landscape of Cyber Security in Healthcare

In the ever-evolving landscape of healthcare technology, the importance of cyber security has taken center stage. With a slew of regulatory developments and emerging threats, it is crucial for both existing and potential players in the industry to be well-versed in the cyber security domain.

Regulatory frameworks

1. European Union (EU): Medical Device Regulation (MDR) and ISO 81001-5-1

The EU's Medical Device Regulation (MDR) is making big changes to how we think about cyber security for medical devices. A significant shift is coming in 2024 with the harmonization of ISO 81001-5-1, and it's not just a small adjustment – it's a strong move to make medical devices more resilient against new cyber threats.

Even in 2023, ITK observed a growing trend among its customers, noting an increased focus and scrutiny during audits. Manufacturers should be ready for closer inspections during audits. Paying attention to things like threat and risk analysis, security by design and keeping a detailed Software Bill of Materials (SBOM) is not just about following rules; it's about being proactive in building a culture of cyber security that lasts throughout the development process.

2. United States (US): FDA guidelines

In the United States, the FDA has been a leader in pushing for better cyber security in the medical device world. As the rules keep evolving, following FDA guidelines is not an easy part, but crucial to ensure medical devices are safe and secure.

The call for independent penetration tests (pentests) and yearly vulnerability checks is a central part of the FDA guidance, the FDA clearly wants to make sure, problems are found and fixed before they can put patients or data at risk.

3. EU Cyber Resilience Act and Network and Information Security Directive (NIS-2)

Even though the EU Cyber Resilience Act (CRA) excludes medical devices, its effects reach far and wide into the Healthcare world. It touches everything from apps to cloud services that are also part of many medical device's ecosystems and were formerly declared not to be a medical product, thus reducing the amount of effort required for testing and documentation. This Act, made to boost cyber resilience in important areas, now requires such non-medical components to reach similar quality regarding cyber security activities.

At the same time, the updated Network and Information Security Directive sets a higher standard for everyone operating networked devices in its business, including hospitals and other players in the healthcare market. As a manufacturer of medical devices, one must make sure to provide customers with helpful documentation to integrate medical devices in the customer's network without putting cyber security at risk.

Mandatory activities: What manufacturers should immediately care for

Summarized, the regulatory shifts outlined above in combination with upcoming EU regulations not directly targeting medical products, make certain activities obligatory for Healthcare companies either developing a medical product or not, in the regulatory sense:

• Threat and Risk Analysis: Utilize methods such as STRIDE and the Common Vulnerability Scoring System (CVSS) metric.
• Security by Design: Integrate cyber security measures into the development process.
• Software Bill of Materials (SBOM): Maintain an inventory of software components.
• CVE Analyses: Regularly assess vulnerabilities, at least on a yearly basis, based on the SBOM.
• Independent Pentests: Conduct thorough penetration tests by external entities.

Additional activities: What manufacturers should also care for

In addition to the mandatory compliance activities discussed earlier, it's crucial for Healthcare companies to recognize that medical devices that passed audits are still not ready for the market. This extends beyond meeting regulatory requirements to safeguarding both the financial health and reputation of the company. Medical device manufacturers should therefore also follow these additional activities:

• GDPR Readiness: Inspect your product for GDPR compliance, to make sure data protection rules are followed.
• Privacy By Design: Review your product for only using data that is absolutely required for your use cases.
• Improved Security Concept: Optimize your security concepts to reduce attack vectors, wherever possible.
• Enhanced Vulnerability Management: Make sure to scan your product regarding CVE issues at least monthly, if not even weekly.

Looking ahead

As the regulatory landscape continues to evolve, it is imperative for Healthcare companies to not only meet mandatory requirements but also proactively address broader cyber security considerations. Activities such as privacy by design, optimized security concepts and enhanced vulnerability management through more frequent CVE analyses can fortify the industry against emerging threats. Additionally, Healthcare companies should also put focus on their "non-medical" products, e.g. apps and cloud products, to follow upcoming additional regulations not explicitly targeting medical devices.

In the last decades, ITK has supported several Healthcare companies to adopt and improve their processes, as well as actively provided engineering support regarding all mentioned mandatory and additional security activities. So if you need any assistance, please feel free to contact our Healthcare Cyber Security Specialist Dr. Joachim Wilke or directly reach out to our Healthcare team.

In this video Joachim tells you how to make your medical product smart but secure within the Internet of Medical Things. Feel free to click in.

Curious now? Then don't miss this and subscribe to our newsletter here and follow ITK-Engineering.

Meet us at this year's Bosch Connected World from February 28th-29th in Berlin! Visit us at our booth G2 and don't miss the "ITK Happy Hour" on February 28th at 6:30pm. Let's celebrate together 30 years of ITK. The Art of Digital Engineering.