4
min reading time
Medical devices have been around for decades, however they weren’t built with cybersecurity in mind. Even though these connected devices, like insulin pumps, peacemakers or smart MRI scans gain popularity with an increasing speed, their security consideration still lags behind when compared to other IoT devices intended for industrial usage.
Luckily, after several demonstrations by whitehat hackers about the ease of exploiting their common vulnerabilities, the European Union and the American FDA established respective cybersecurity guidelines to minimise the chance of malevolent exploitations.
These two new regulations on medical devices in the European Union (MDR 745/2017 - MDR Medical Devices Regulation; EU 2017/745 and IVDR 746/2017 - IVDR In Vitro Diagnostic Medical Devices Regulation; EU 2017/746) entered into force on 25 May 2017, although organizations have 5 years to adjust to the new rules, until May 26, 2022.
The MDR and the IVDR obligates manufacturers to abide by certain cybersecurity expectations in order to be able to market their devices, which already has an impact on the market. In 2017, for instance, the FDA announced its first-ever recall for a pacemaker that carried a major cybersecurity risk. In 2018, a popular pacemaker manufacturer had to shut down part of its Internet network - in order to fix the underlying issues -, after hackers demonstrated how they can remotely hack into their devices and manipulate patient data.
Even though manufacturers employ professional and senior level programmers and engineers most of the time, cybersecurity in products is not on the top priority list. This phenomenon is the result of a relatively low level of cybersecurity awareness within the healthcare industry, which has been coupled by the lack of regulation.
Most companies within the private sector are pusing for innovation to counter their competitors and to market the best medical device. This neck-to-neck competition on functionality threw cybersecurity at the back of the priority list. Moreover, as there was basically no regulation to comply with, manufacturers didn't have to maintain in-house IT security teams, or hire third-party experts to control risk management.
Fortunately, today we can observe a general increase in the level of awareness among manufacturers. This trend is the result of the terrifying cybercriminal activities of the recent past, such as hospital shutdowns, data theft, and ransomware attacks exploiting IT technologies used in healthcare systems and institutions. The European Union’s reaction was to level the playing field by integrating mandatory cybersecurity activities for manufacturers.
As medical devices are usually sold with their respective smart applications and are connected to a central hub, a smart phone or the Wi-Fi router, the network can be easily hacked if the device is not built using the secure by design principle.
The most common cyberattacks are ransomwares, phishing, code injections, (D)DOS and data theft that all can be prevented and mitigated with proper planning, risk management and IT security planning.
We might assume that hackers want to get a hold of personal data like bank account numbers and passwords, however PII is just the tip of the iceberg. By taking advantage of these vulnerabilities, they can modify data recorded by the connected devices, which can threaten the patients’ health, or disrupt the operation of healthcare institutions. Apart from that, this data can be used as a source of industrial espionage to blackmail vendors or institutions for ransom or selling this data on the black market for other cybercriminals to use.
Most of the cyber criminals get access to sensitive PII or perform a successful cyber attack by exploiting vulnerabilities because of the low priority of cybersecurity during development. Luckily, this is something which can be turned around quite quickly. By prioritizing cybersecurity while building and developing products and taking security into consideration right from the start, manufacturers can significantly decrease their attack surface.
By fulfilling the expectations of the EU medical device regulation, like the MDR and the IVDR, manufacturers can make sure that they’re using state-of-the-art technology that not only helps them to comply with the MDR standards, but saves a significant amount of money and time in the long run.
Even though MDR compliance might seem as an unnecessary expense at first sight, it helps manufacturers avoid unwanted costs deriving from data breaches, data theft or other legal and developmental expenditures caused by negligence on cybersecurity. After working with hundreds of clients throughout the years, we can confidently state that prevention is always better and more cost-effective than the reactive approach of putting out the fire when harm has been already done.
The secure by design principle is the best option for prevention. This means the due consideration of cybersecurity aspects before and during the development. As a result of this process, manufacturers can build better and more effective products, they can enjoy better outcomes on product evaluations, which eventually results in the earlier marketing of the smart connected device.
We know that building an IT and cybersecurity team to comply with regulations is quite costly and time-consuming. This is why we recommend working with a third-party expert to support regulation compliance and certification. Although, choosing a professional team who suits your demands can be complicated, so we advise the use of an independent organization for device cybersecurity testing with internationally recognized and measurable methodology, like CCLab.
If you want to make sure that your products are complying with the MDR and IVDR expectations and you want to work with a team with demonstrated history in this area, get in touch with us now!
Want to understand the MDR, IVDR regulation? Download our e-book on the latest requirements of medical cybersecurity
The second stage of the medical device cybersecurity testing framework is risk assessment. This downloadable infographics introduces the risk analysis process to you.
The first step in preparing for the EU MDR compliance is the gap analysis. This downloadable infographic guides you through the gap analysis process.
The rapid advancement of connected medical devices has revolutionized the healthcare sector, particularly in vitro diagnostics (IVD). These devices are pivotal in disease detection and management, from genetic tests and blood glucose meters to infectious disease diagnostics, underpinning modern healthcare practices. The global market for in vitro diagnostics (IVD) is projected to grow significantly, with estimates predicting a compound annual growth rate (CAGR) of 5% to 7%, driven by advancements in connected diagnostic devices. While these innovations enhance diagnostic accuracy and operational efficiency, they also amplify cybersecurity risks, demanding urgent attention to device security. However, the growing connectivity of in vitro diagnostic devices exposes them to cybersecurity threats, posing risks to patient data, diagnostic accuracy, and operational continuity. This article explores the vulnerabilities of connected IVD devices, the significance of IVDR compliance, and strategies to safeguard against emerging cyber threats.
10
min reading time
In an era where digital threats grow in complexity and frequency, cybersecurity is no longer a secondary consideration but an essential part of manufacturing operations. Compliance with security standards offers manufacturers a structured approach to managing the growing risks of digital threats and securely handling sensitive data. Compliance also helps companies meet industry regulations, protect intellectual property, and avoid potentially devastating financial losses.
8
min reading time
The rise of the Internet of Things (IoT) has revolutionized how we interact with technology. Consumer IoT devices are now deeply integrated into the fabric of modern life, from smart home appliances, wearable gadgets, and connected vehicles to health monitors and voice assistants. However, the increased connectivity provided by consumer IoT products also introduces a broader attack surface for cyber threats.
8
min reading time