Cybersecurity in the Medical Industry: Episode 1 – “Best Practices for MedTech Device Manufacturers”

In the first episode of our podcast series, “Cybersecurity in the medical industry”, we take a deep dive into the world of cybersecurity for medical devices with industry experts.

We discuss standards and practices such as IMDRF, AAMI TIR 57 and IEC TR 60601-4-5, and the role that SGS Brightsight testing services plays in certification. Plus, we delve into the critical relationship between security and safety, offering insights for protecting medical devices in a connected world. Join us for an in-depth look at safeguarding healthcare technology.

Listen to the podcast

About the speakers

This podcast features:

• Thomas Schuster, Security Evaluator, SGS Brightsight
• Vasily Kalakutskiy, Business Development Manager Medical Product Certification, SGS
• Stefan Fehn, Safety Expert Active Medical Devices, SGS 
• Willy Fabritius, Global Head of Strategy & Business Development Information Security, SGS

Podcast highlights

When is cybersecurity applicable for my device?

If your device contains firmware, or it is a Software as a Medical Device (SaMD), that could be vulnerable to the cybersecurity threats, you should consider cybersecurity, even if it does not have network interfaces.

As soon as you have an asset/a secret to protect, cybersecurity enters into place. Cybersecurity ensures, or at least “tries to ensure”, availability, integrity, authentication and confidentiality of the information that is important for you and your device. Those properties are so called “CIA+” principles and should be protected and restored in case of cybersecurity attacks. 

This is why cybersecurity is always applicable to any electronic device or SaMD.

Is cybersecurity mandatory? Is it a regulatory requirement?

Cybersecurity requirements are covered by a wide umbrella of regulations. A MedTech manufacturer should consider those regulations that are specific for medical devices and those that are dependent on the technology per se. Also, MedTech Manufacturers should consider regulations related to the applicable type of industry. For example in Europe, the NIS2.0 directive for enterprises in critical infrastructure industries.

Apart from certification evaluations, do you offer any other type of service (for example cybersecurity testing)? If so, which kind of cybersecurity tests do you perform for medical devices?

Yes, our main service for medical device manufacturers is the penetration testing campaign, where we perform testing on different aspects and on all the components of the medical device system. 

It is important to mention that we differentiate the testing campaign based on the level of information that the manufacturer is willing to share with us. We go from black box testing, where only public information is used, to white box testing, where the source code is assessed for a deeper and punctual analysis of the security functionalities.

At the end, we issue a report, that can be delivered to the notification body. 

How do you evaluate the security to safety impact and vice versa? 

As independent cybersecurity testing lab, we do not evaluate the security to safety impact, as we do not provide any assessment on the finding. 

We perform independent testing to identify vulnerabilities in the product and a rationale is provided if no countermeasures need to be implemented. In terms of product safety, the implications of the test results are not within the scope of our work. The findings must be assessed by the manufacturer and they must act based on the results and according to international regulations. 

Do you evaluate the security impact when you perform a safety evaluation? If so, how?

From ac safety perspective we lean on our IEC 60601-1 standard series for active medical devices and its requirements. The current series barely considers cybersecurity subjects, but there are some standards, such as IEC 60601-2-16 (Haemodialysis equipment) which inhibit requirements in that direction, like safe data transfer between the medical device and an IT-network referring to IEC 80001. So, currently, we barely look into a safety-security impact and vice versa, But the road is clear: requirements are coming. What is uncertain is the level of detail.

About the Changing Conversations podcast

Join us for the Changing Conversations podcast, where we take a deep dive into the complex issues facing the modern world and shine a light on the innovations that can make a difference. Each episode offers a fresh perspective on a unique topic – from the transition to a more sustainable world to AI technology.