The increasing connectivity of medical devices to computer networks and the convergence of technologies have exposed vulnerable devices and software applications to incidents.

There has been exponential growth in types of medical devices, often connected to smart devices such as mobile phones, tablet computers, and wearable devices, which also run medical applications/software. These devices are already found in homes today.

The inherent security risk with medical devices is that they can potentially expose both data and control of the device itself. This raises a tension between safety and security, which requires greater stakeholder collaboration to address, particularly in design and regulatory approaches. These stakeholders now include regulators, device manufacturers, healthcare organizations, IT suppliers, and patients themselves.

Cyber risks are set to increase further with the adoption of the Internet of Things (IoT) by healthcare organizations and consumers. The convergence of networking, computing technology, and software has enabled increasing integration of Hospital Enterprise Systems/Information Technology (IT) and Clinical Engineering (CE), and suppliers through remote connectivity. This will be revolutionized by cloud-based services and the use of ‘big’ data analytics.

The need to protect patient data from cyber-attack is now well understood.

However, the potential impact on clinical care and patient safety is raising concerns for healthcare organizations, regulators, and medical device manufacturers alike. Control of a medical device could also be compromised.

What are the Cybersecurity Threats to Medical Devices?

There are many cyber risks to medical devices which include:

Malware on device/systems - malicious software (e.g. Virus, Worm, Trojan, Ransomware) introduced onto the device or system

Denial of control action - device operation disrupted by delaying or blocking the flow of information, denying device availability or networks used to control the device or system to healthcare staff.

Device, application, configuration, or software manipulation - device, software, or configuration settings modified producing unpredictable results.

Spoofed device/system status information - false information sent to operators either to disguise unauthorized changes or to initiate inappropriate actions by medical staff.

Device functionality manipulation - unauthorized changes made to embedded software, programmable instructions in medical devices, alarm thresholds changed, or unauthorized commands issued to devices, which could potentially result in damage to equipment (if tolerances are exceeded), the premature shutdown of devices and functions, or even disabling medical equipment.

Safety functionality modified - safety-related functionality manipulated such that they do not operate when needed, or perform incorrect control potentially leading to patient harm or damage to medical equipment.

To learn how to manage risk in medical devices, click here.

Medical Device Cybersecurity Standards

Medical device manufacturers and healthcare organizations need to implement safeguards to reduce the risk of failure or misuse in the event of a cyber-attack.

They can benefit from working towards a common set of security expectations, as set out in cybersecurity standards. This can be facilitated by the use of a common procurement language and guidelines to ensure security is integrated into medical devices and systems.

Control system security goals focus on control system availability, equipment protection, operations (even in a degraded mode), and time-critical system response. The measures used to implement safeguards are equally applicable and are focused on an operational technology environment (in this case medical devices and health networks) as opposed to traditional IT Information Assurance.

BS EN IEC 62443-3-3 security controls are combined with others in PD IEC/TR 80001-2-8 for the risk management of IT networks, which incorporate medical devices. The potential security impacts of security measures are outlined to distinguish control systems, in that their application should not cause the loss of essential services and functions, including emergency procedures. IEC 62443-1-1 describes the basic concepts and models related to cybersecurity that are used throughout the BS EN IEC 62443 series. A key concept in IEC TS 62443-1-1 is the application of security zones and conduits used to describe the various operational components and how they are connected. The zones are logically group assets within the enterprise, which can then be analyzed for security policies and requirements. The architecture model provides context for assessing common threats, vulnerabilities, and the corresponding countermeasures needed to attain the level of security required to protect the grouped assets.

The audience for these medical device cybersecurity standards include asset owners, system integrators, product suppliers, service providers, and compliance authorities 

Recommendations include network segmentation (applicable to IT networks versus clinical networks and enclaves), but also cover secure design, implementation of security, including governance, risk assessment, procurement, managing the system life cycle, maintenance, third party risk, and incident management.

Medical devices manufacturers can also apply a variety of secure product development lifecycles (SDLC) good practices. Cybersecurity assurance programs can utilize the good practice developed in IEC TS 62443-4-1 Product Development Requirements and BS EN IEC 62443-4-2 Technical Security Requirements for industrial control system components.

These medical device cybersecurity standards focus on secure product development good practice, (including IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems series), verification and testing, and lifecycle management.

Want to have access to all your cybersecurity standards in one place? A BSI Knowledge subscription gives you instant access to the resources you need to improve the cybersecurity of your medical devices. The flexibility and visibility it provides of the best practices guidance enable you and your team to get the most from standards - from patient privacy to remote data access. Build your own custom collection of standards, or opt for access to our GBM24 Information Technology - Software & Networking module and keep up-to-date with any relevant changes to your cybersecurity strategy. Request to learn more.

Ensure your medical device products are safeguarded from dangerous cybersecurity threats by adding these medical device cybersecurity standards to your collection today.