IT Security in Healthcare

We have known how vulnerable IT security is in the healthcare sector since February 2016, when the IT infrastructures of many clinics were brought to a standstill by a simple virus attack. As a result, the authorities are paying closer attention to ensuring that not only clinics but also manufacturers guarantee the IT security of their (medical) devices.

This article will give you an overview of what hazards IT security in the healthcare sector and what you can and must do about them. This will help you avoid regulatory trouble and develop and operate devices safely.

Update: The latest BSI publications have been added to chapter 3. a). This gives you a quick overview of 120 pages.

Threats to IT security are not limited to healthcare. Yet there are some particularities to consider:

• Human lives are threatened
  In contrast to attacks on private individuals' or many corporate infrastructures, attacks on IT infrastructures in healthcare (e.g. of clinics) pose a threat to humans, more precisely to patients. If a clinic's IT breaks down, just as happened recently, no more patients can be admitted, and surgeries have to be postponed. If medical ventilators of an intensive care unit are targeted, patients can die within minutes.
• Specific regulations must be complied with
  Threatening IT security in healthcare also means threatening the protection of highly confidential personal data on health.
   For this reason (but not for this reason alone), specific regulations for operators of healthcare facilities and for medical device manufacturers exist, which you can read more about in the following section.
• Many clinics operate unprofessionally
  There are only a few other sectors outside the healthcare sector that invest so little money in IT security. In line with the motto "you get what you pay for", many IT departments of clinics are understaffed and poorly trained. IT security is further undermined by adventurous IT infrastructures and the high extend of partly uncoordinated outsourcing to all kinds of actors (service providers for printers, firewalls, PCs and hotline, manufacturers of IT systems and medical devices).
• Manufacturers act irresponsibly
  Manufacturers, too, are responsible for insufficient IT security. Among the reasons are:
  • "Historically grown" system and software architectures.
  • Poor understanding of the menace to IT security cause by total integration of IT and medical engineering.
  • Lack of will to systematically analyze and manage IT security as part of risk management.
  • Lack of willingness to assume responsibility not only for their own product, but also for the product in the context of a clinic network.

a) Requirements for Manufacturers

In contrast to the USA, the European judicial area knows only a few specific standards for addressing IT security of medical devices.

EU law and national laws

1. Under MDR Annex I, 17.2, the MDR explicitly requires software development to be "state-of-the-art". This includes IT security. Now, manufacturers must define requirements regarding measures by operators about IT security. The MDR even internalizes the demand for data protection.
2. The MDCG has published the 2019-16 guidelines, in which the Medical Device Coordination Group explains in more detail how it intends to implement the MDR and IVDR's IT security requirements.
3. The DiGAV calls for IT security and data protection. The article on the DiGAV also mentions that the BfArM has published guidelines and FAQs on this subject, which address the use of US cloud providers, among other things.
4. The EU has included IT security in the Radio Equipment Directive (RED). IT security is, therefore, a mandatory requirement for the CE marking of devices with a radio module. However, according to MDR/IVDR, medical devices are exempt from the corresponding regulations (Art. 2 para. 1 Delegated Regulation (EU) 2022/30).
5. The new Cyber Resilience Act is also not applicable to medical devices, according to MDR and IVDR. However, manufacturers can consider it an additional guideline for the state of the art.
6. At the end of 2022, the EU launched a new directive called NIS2. It must now be transposed into national law within 21 months. The new directive does not yet have any direct consequences for manufacturers. This is also because the member states first have to transpose the changes into national laws. However, it is obvious that medical device manufacturers must ensure the IT security not only of their devices, but also of their organization.

Requirements of the national authorities and notified bodies

1. The CyberMed expert group explains how manufacturers should complete the "Manufacturer Disclosure Statement for Medical Device Security (MDS2)" in the 2019 guidelines for using the MDS2, which are available on the BSI (German Federal Office for Information Security) website.
2. The BSI (German Federal Office for Information Security) has published a document on cyber security requirements for network-enabled medical devices.
3. The BSI has also published the technical guideline BSI TR-03161: Security Requirements for Digital Health Applications. The BSI guideline, in turn, refers to other specifications, although these are not specific to medical devices:
   1. BSI Standard 200-1, BSI Standard 200-2, BSI Standard 203
   2. BSI IT baseline protection compendium
   3. BSI TR-02102-1: Cryptographic procedures: Recommendations and key lengths
   4. BSI TR-02102-2: Cryptographic procedures: Use of TLS
   5. TR-03107-1: Electronic identities and trust services in eGovernment Part 1
4. The notified bodies have developed their guidelines on IT security based on the Johner Institute's guidelines. As this is published and used by the notified bodies, it is a must-read, at least for German manufacturers.

Standards

1. In its latest version, ISO 13485:2016 was amended to include protection of confidential data as well as the establishment and review of requirements for associated medical devices
2. IEC 60601-1 demands risks in consequence of a "lack of data security, particularly vulnerability to tampering, unintended interaction with other programs and viruses" to be managed.
3. IEC 60601-4-5 is also specific to medical devices. It references the IEC 62443 standard, which means that its catalog of requirements is very extensive.
4. With Amendment I (2016) of IEC 62304, the standard requires that software requirements include IT security requirements.
5. Risk management (e.g., compliance with ISO 14971) has always had to address all risks, including those caused by a lack of IT security, such as cyber-attacks.
6. The cybersecurity standard IEC 81001-5-1 deals with how IT security must be taken into account in the software life-cycle.
7. ISO 27002 describes almost 100 controls (security measures). It was significantly revised in 2022. A new edition of ISO 27001, already available as FDIS, is also expected at the end of the year.

Regulatory requirements in the USA and other countries

1. In the USA, operators must comply with the requirements of HIPAA.
2. The FDA has published specific requirements in four(!) guidance documents on the topic of cybersecurity.
3. The FDA also references AAMI 57 on IT security risk management in accordance with ISO 14971.
4. It also recognizes UL 2900-2-1 as a standard for IT security.
5. Health Canada followed suit in December 2019 and also published a draft guidance "Premarket Requirements for Medical Device Cybersecurity".
6. In April 2020, the IMDRF also published a guideline on cybersecurity.
7. In April 2022, the FDA published a draft guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff.
8. The FDA has commissioned MITRE (a non-profit organization) to develop a "playbook." This "Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook" is now available.

b) Requirements for operators

EU regulations, EU directives, national laws

Many people are unaware of EU Directive 2016/1148"concerning measures to ensure a high common level of security of network and information systems across the Union." It is also known as the NIS Directive (The Directive on security of network and information systems).

This directive explicitly mentions "healthcare facilities (including hospitals and private clinics)" in Annex II. It was transposed into national law as the BSI Act (see above).

Operators must also guarantee data protection. IT security is a necessary but not a sufficient prerequisite for this. The General Data Protection Regulation forms the basis.

National laws and regulations

In addition, there are national provisions such as the BSI Act and further demands by the German Federal Office for Information Security (BSI) regarding healthcare. In the course of the national critical infrastructure protection strategy(KRITIS strategy), the IT Security Act, too, was put into effect, which explicitly addresses healthcare.

Due to increasing cross-linkages, medical device manufacturers increasingly become operators. Therefore, the MPBetreibV and comes into effect, which requires secure operation.

Standards

IEC 80001 is a standard describing risk management regarding the operation of IT systems in the healthcare sector. Data and system security (IT security) is one of the three explicit protection targets. In this context, especially IEC 80001-2-8 („Application guidance — Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2“) is relevant.

Further information

The German Hospital Federation has published a guideline entitled "Sector-specific safety standard for healthcare in hospitals."

c) Sector-independent requirements

The following laws, too, are directly related to IT security:

• Law on Control and Transparency in Business (KonTraG)
• Criminal Code: Sec. 202b Data Interception, Sec. 263a Computer Fraud, Sec. 303a Data Alteration and Sec. 303b Computer Sabotage

A contribution by Doccheck offers an overview of IT security problems in healthcare. AAMI reports that the RansomWare attacks in May 2017 were also a wake-up call for the FDA, which calls attention to the vulnerability of IT systems in healthcare.

Cave: IT security is the extent to which information availability, integrity, and confidentiality are protected. IT security is more than just protection against cyber attacks.

a) Negligence by Medical Device Manufacturers

Obviously ignoring requirements of risk management and of the FDA Cybersecurity Guidance, new menaces caused by medical devices disregarding elemental security standards are recurring.

• As repeatedly reported by heise.de [1; 2] and hextech.com, infusion pumps by Hospira exhibit a fatal Telnet hole.
• Thousands of medical devices are vulnerable to attacks via the internet, as consistently reported by heise.de and golem.de [3], [4].
• Manufacturers' sloppiness when writing and updating firmware is an increasing problem [6].
• The FDA has issued several warnings about active implants from Medtronic where communication is unencrypted and/or not authorized.

BSI: Cyber security assessment of networked medical devices

The BSI's systematic evaluation entitled Cyber Security Assessment of Networked Medical Devices is also interesting. The authority examined the following product classes:

• Implantable pacemakers and defibrillators and their equipment
• Insulin pumps
• ventilators
• Infusion pumps
• Patient monitors

As an output, the BSI concludes:

Manufacturers should benefit from these documents and

• review whether their own devices are affected by the same defect;
• take this document into account in their post-market surveillance;
• review the recommended measures for avoiding vulnerabilities to determine whether they are applicable in their own company ("Preventive Action");
• adopt the methods used to detect vulnerabilities in your arsenal if necessary. The BSI even lists methods for reviewing apps and web-based systems, although these were not the focus of the study.

BSI: eCare digitalization in the care sector

The BSI's evaluation is an exciting read. Even the market overview is helpful. The networked systems range from home emergency call systems to smart beds, sleep monitoring, and networked heated blankets.

The output is a bit disappointing:

At the very least, the devices are suitable as poor role models and give manufacturers an idea of

• how the BSI investigates when it only carries out superficial checks
• what minimum requirements the BSI sets,
• which errors manufacturers must not make under any circumstances.

b) Health insurance providers

In several blogs, I have expressed my concern that it is only a matter of time until hospitals and chains of clinics are blackmailed by data thieves, too. Unfortunately, I forgot one major participant of the healthcare system open to blackmail: health insurance providers. This has happened now, as reported by Süddeutsche and Spiegel [7].

c) Hospitals

Cyberattacks

IT security in healthcare is increasingly exposed to threats since hackers have realized the value of data [9].

Often, hospitals are not the targeted victims of cyber attacks. Rather, their badly maintained IT infrastructure with outdated and unpatched operating systems are as helpless as an open barn door in the face of attackers.

• In February 2016, computer virus Locky crippled several clinics in North Rhine-Westphalia. For example, rp-online, WAZ and heise.de reported on this. One commentator wrote that not two, but 48 (!) clinics were affected. An expert from Kaspersky confirmed those weaknesses (article published in KH-IT Journal).
• Those attacks are not limited to Germany. According to Inquisitr, a hospital in California had to pay millions in ransom.
• In May 2017, hospitals are again targeted, especially the UK healthcare system NHS [10, 11] This time, the virus is called "Wanna Cry".

Overview of the number and causes of data breaches

The U.S. Department of Health and Human Services publishes and continuously evaluates security breaches in the healthcare sector. The analyses show that the number of incidents is constantly increasing.

Please refer to the IT security guidelines published by the Johner Institute, TÜV Süd, and other notified bodies. They provide step-by-step instructions for ensuring IT security throughout the product life cycle.

The Johner Institut team helps manufacturers introduce ISO 27001-compliant information security management systems (ISMS) quickly and effectively. If you are interested, contact the Johner Institut, e.g., via the contact form. In a non-binding discussion, you will learn how the introduction of an ISMS works, how long it takes, and what costs are involved.

Update

• 2023-02-17: HIPAA requirements linked
• 2022-12: New legal requirements added
• 2022-09: Notes on the EU Cyber Resilience Act and the ISO 27000 family added
• 2022-06: Section with legal requirements supplemented by draft of the new FDA Guidance Document and IEC 80001-5-1
• 2022-02: Notes on requirements for IT security in the Radio Equipment Directive (RED) added
• 2021-02: BSI publications added to section 3.a); the large number of regulatory requirements in section 2.a) better organized with subheadings