In this interconnected world in which we live, the networked medical devices in hospitals and healthcare organizations around the world are counted per millions. Most of these devices are so old that do not implement cybersecurity protections or are running on unsupported operating systems. This scenario provides the attackers with the best conditions to get access to millions of unprotected health data (Classified as high-risk personal data by the GPDR) or even to perform network lateral movement attacks.
These are the principal reasons why it is necessary to evaluate network medical devices against security standards which define the security requirement and guidelines to develop secure medical devices.
The new Medical Device Regulation (MDR) 2017/745 states: “For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.”. Therefore, European regulation for medical devices is already including Cybersecurity requirements.
Current standards such as IEC 62304:2006 Medical device software — Software life cycle processes and ISO 14971:2019 Medical devices — Application of risk management to medical devices include references to Cybersecurity, despite they are not focused on it.
Medical security standards
Different security standards may be applied to assess the security of medical devices:
UL 2900 Series of standards provides measurable criteria for the testing of network-connectable devices to mitigate potential security vulnerabilities and exploits:
- UL 2900-1 Ed. 1-2017 - Standard For Software Cybersecurity For Network-Connectable Products, Part 1: General Requirements.
- UL 2900-2-1 Ed. 1-2017 - Software Cybersecurity For Network-Connectable Products, Part 2-1: Particular Requirements For Network Connectable Components Of Healthcare And Wellness Systems.
IEC 62443 Series of standards focus on industrial automation controls. Nonetheless, it is extensively being used for medical devices. Furthermore, this standard has been used as the basis for the creation of IEC TR 60601-4-5: Medical electrical equipment –Guidance and interpretation – Safety related technical security specifications for medical devices.
The IEC 62443-4-2 “Technical Security Requirements for IACS Components” defined 4 security levels:
- SL 1- Prevent the unauthorized disclosure of information via eavesdropping or casual exposure.
- SL 2- Prevent the unauthorized disclosure of information to an entity actively searching for it using simple means with low resources, generic skills and low motivation.
- SL 3- Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with moderate resources, IACS specific skills and moderate motivation.
- SL 4 – Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with extended resources, IACS specific skills and high motivation.
It is possible to assess the security of medical devices verifying the level of compliance of them to standards such as IEC 62443-4-2 or UL2900-2-1.
Please, do not hesitate to call us to get more information about our medical devices assessment services. Our expert team will evaluate your product using the most suitable framework or will help you to identify the security requirements applicable to your product considering the standard against you want to be evaluated.
They already trusted us. Let's talk!
What we offer
Medical device Compliance Assessment
We assess the compliance of your medical device to the most recognized standards of the market such as IEC 62443-4-2 or UL2900-2-1. This service will verify if your implementation meets the requirements of the standard.
A full report will be provided describing how each requirement is met by your device.
This service will support you to ensure third parties that you meet the industry standards.
Vulnerability Analysis and Penetration Testing for medical devices
Our vulnerability analysis service aims to find vulnerabilities in a device before a security breach occurs. This includes identifying weaknesses in the hardware, firmware or software of the device that may be exploited by hackers.
We offer you the maximum support to help you to meet any medical standard that you need.
Cybersecurity requirements are difficult to achieve and we may support you to meet international standards/regulations cybersecurity requirements such as GDPR, IEC 62304:2006 and ISO 14971:2019
With this service we will generate all the required documentation and support you to develop your product saving your time, money and resources.
Cybersecurity may be a significant challenge for an organization, jtsec supports you during the full process to meet your security objectives. This service may include gap analysis, document preparation or security design review.