IT Security for medical products
As an experienced development service provider, Corscience reports on the development and challenges of the secure networking of medical devices
The networking of medical devices in the homecare, clinic and preclinical treatment sectors has been growing in importance for many years now. This results in numerous advantages for patients, users and operators. However, it also comes with an increase in the associated security risks. Medical devices and their networks are classed as critical infrastructure and thus require particular protection. In order to realise cost-efficient and safe solutions as a development service provider, we take IT security issues into consideration right from the product concept stage. To ensure that the selected protective measures remain secure in the long term, these must be reviewed not only during development, but also over the entire course of the medical device’s product life cycle.
In order to verify the effectiveness of this procedure, together with the chair for IT security at the Friedrich-Alexander University Erlangen-Nuremberg, Corscience assessed the safety and security of an already developed patient monitor for clinical use.
In a joint dialogue, the risks were firstly outlined in detail and the protection goals were defined. Following on from this, the medical device was analysed and tested extensively to identify possible weaknesses (penetration tests, brute force). In this step, the requirements and interfaces for production and service were assessed and analysed for potential gateways for attacks as this is where critical gaps are often overlooked during conception.
The test revealed that with the applied IT security concepts, multiple attack scenarios could be successfully ruled out. Thanks to the monitor, the attack surface was kept minimal by isolating secondary services. This was evident with WLAN and HL7 communication, the internal web server and the periphery (e.g. bar code reader). Minor areas for improvement were identified (e.g. strengthening of the password policy); however, the fine line between security and usability must be given greater consideration here. We guarantee that our customers’ products measure up to the increasingly stringent security requirements by applying our know-how right from the concept and development stages and continue doing so over the entire product life cycle in order to develop future-proof, user-friendly and reliable medical technology.