We have known how vulnerable IT security is in the healthcare sector since February 2016, when the IT infrastructures of many clinics were brought to a standstill by a simple virus attack. As a result, the authorities are paying closer attention to ensuring that not only clinics but also manufacturers guarantee the IT security of their (medical) devices.
This article will give you an overview of what hazards IT security in the healthcare sector and what you can and must do about them. This will help you avoid regulatory trouble and develop and operate devices safely.
Update: The latest BSI publications have been added to chapter 3. a). This gives you a quick overview of 120 pages.
1. Particularities of IT Security in Healthcare
Threats to IT security are not limited to healthcare. Yet there are some particularities to consider:
Human lives are threatened In contrast to attacks on private individuals' or many corporate infrastructures, attacks on IT infrastructures in healthcare (e.g. of clinics) pose a threat to humans, more precisely to patients. If a clinic's IT breaks down, just as happened recently, no more patients can be admitted, and surgeries have to be postponed. If medical ventilators of an intensive care unit are targeted, patients can die within minutes.
Specific regulations must be complied with Threatening IT security in healthcare also means threatening the protection of highly confidential personal data on health. For this reason (but not for this reason alone), specific regulations for operators of healthcare facilities and for medical device manufacturers exist, which you can read more about in the following section.
Many clinics operate unprofessionally There are only a few other sectors outside the healthcare sector that invest so little money in IT security. In line with the motto "you get what you pay for", many IT departments of clinics are understaffed and poorly trained. IT security is further undermined by adventurous IT infrastructures and the high extend of partly uncoordinated outsourcing to all kinds of actors (service providers for printers, firewalls, PCs and hotline, manufacturers of IT systems and medical devices).
Manufacturers act irresponsibly Manufacturers, too, are responsible for insufficient IT security. Among the reasons are:
"Historically grown" system and software architectures.
Poor understanding of the menace to IT security cause by total integration of IT and medical engineering.
Lack of will to systematically analyze and manage IT security as part of risk management.
Lack of willingness to assume responsibility not only for their own product, but also for the product in the context of a clinic network.
2. IT Security Regulatory Requirements in Healthcare
a) Requirements for Manufacturers
In contrast to the USA, the European judicial area knows only a few specific standards for addressing IT security of medical devices.
EU law and national laws
Under MDR Annex I, 17.2, the MDR explicitly requires software development to be "state-of-the-art". This includes IT security. Now, manufacturers must define requirements regarding measures by operators about IT security. The MDR even internalizes the demand for data protection.
The MDCG has published the 2019-16 guidelines, in which the Medical Device Coordination Group explains in more detail how it intends to implement the MDR and IVDR's IT security requirements.
The DiGAV calls for IT security and data protection. The article on the DiGAV also mentions that the BfArM has published guidelines and FAQs on this subject, which address the use of US cloud providers, among other things.
The EU has included IT security in the Radio Equipment Directive (RED). IT security is, therefore, a mandatory requirement for the CE marking of devices with a radio module. However, according to MDR/IVDR, medical devices are exempt from the corresponding regulations (Art. 2 para. 1 Delegated Regulation (EU) 2022/30).
The new Cyber Resilience Act is also not applicable to medical devices, according to MDR and IVDR. However, manufacturers can consider it an additional guideline for the state of the art.
At the end of 2022, the EU launched a new directive called NIS2. It must now be transposed into national law within 21 months. The new directive does not yet have any direct consequences for manufacturers. This is also because the member states first have to transpose the changes into national laws. However, it is obvious that medical device manufacturers must ensure the IT security not only of their devices, but also of their organization.
Requirements of the national authorities and notified bodies
The CyberMed expert group explains how manufacturers should complete the "Manufacturer Disclosure Statement for Medical Device Security (MDS2)" in the 2019 guidelines for using the MDS2, which are available on the BSI (German Federal Office for Information Security) website.
The BSI has also published the technical guideline BSI TR-03161: Security Requirements for Digital Health Applications. The BSI guideline, in turn, refers to other specifications, although these are not specific to medical devices:
TR-03107-1: Electronic identities and trust services in eGovernment Part 1
The notified bodies have developed their guidelines on IT security based on the Johner Institute's guidelines. As this is published and used by the notified bodies, it is a must-read, at least for German manufacturers.
Standards
In its latest version, ISO 13485:2016 was amended to include protection of confidential data as well as the establishment and review of requirements for associated medical devices
IEC 60601-1 demands risks in consequence of a "lack of data security, particularly vulnerability to tampering, unintended interaction with other programs and viruses" to be managed.
IEC 60601-4-5 is also specific to medical devices. It references the IEC 62443 standard, which means that its catalog of requirements is very extensive.
With Amendment I (2016) of IEC 62304, the standard requires that software requirements include IT security requirements.
Risk management (e.g., compliance with ISO 14971) has always had to address all risks, including those caused by a lack of IT security, such as cyber-attacks.
The cybersecurity standard IEC 81001-5-1 deals with how IT security must be taken into account in the software life-cycle.
ISO 27002 describes almost 100 controls (security measures). It was significantly revised in 2022. A new edition of ISO 27001, already available as FDIS, is also expected at the end of the year.
Regulatory requirements in the USA and other countries
In April 2022, the FDA published a draft guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff.
DiGA manufacturers should read the article on security and data protection for DIGA. It summarizes all the regulatory requirements relevant to DIGA and saves you from having to search through 100 pages of regulations. This also includes BSI TR 03161.
b) Requirements for operators
EU regulations, EU directives, national laws
Many people are unaware of EU Directive 2016/1148"concerning measures to ensure a high common level of security of network and information systems across the Union." It is also known as the NIS Directive (The Directive on security of network and information systems).
This directive explicitly mentions "healthcare facilities (including hospitals and private clinics)" in Annex II. It was transposed into national law as the BSI Act (see above).
Operators must also guarantee data protection. IT security is a necessary but not a sufficient prerequisite for this. The General Data Protection Regulation forms the basis.
National laws and regulations
In addition, there are national provisions such as the BSI Act and further demands by the German Federal Office for Information Security (BSI) regarding healthcare. In the course of the national critical infrastructure protection strategy(KRITIS strategy), the IT Security Act, too, was put into effect, which explicitly addresses healthcare.
Due to increasing cross-linkages, medical device manufacturers increasingly become operators. Therefore, the MPBetreibV and comes into effect, which requires secure operation.
Standards
IEC 80001is a standard describing risk management regarding the operation of IT systems in the healthcare sector. Data and system security (IT security) is one of the three explicit protection targets. In this context, especially IEC 80001-2-8 („Application guidance — Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2“) is relevant.
The following laws, too, are directly related to IT security:
Law on Control and Transparency in Business (KonTraG)
Criminal Code: Sec. 202b Data Interception, Sec. 263a Computer Fraud, Sec. 303a Data Alteration and Sec. 303b Computer Sabotage
3. Examples of IT Security Breaches
A contribution by Doccheck offers an overview of IT security problems in healthcare. AAMI reports that the RansomWare attacks in May 2017 were also a wake-up call for the FDA, which calls attention to the vulnerability of IT systems in healthcare.
Cave: IT security is the extent to which information availability, integrity, and confidentiality are protected. IT security is more than just protection against cyber attacks.
a) Negligence by Medical Device Manufacturers
Obviously ignoring requirements of risk management and of the FDA Cybersecurity Guidance, new menaces caused by medical devices disregarding elemental security standards are recurring.
As repeatedly reported by heise.de [1; 2] and hextech.com, infusion pumps by Hospira exhibit a fatal Telnet hole.
Thousands of medical devices are vulnerable to attacks via the internet, as consistently reported by heise.de and golem.de [3], [4].
Manufacturers' sloppiness when writing and updating firmware is an increasing problem [6].
The FDA has issued several warnings about active implants from Medtronic where communication is unencrypted and/or not authorized.
BSI: Cyber security assessment of networked medical devices
Implantable pacemakers and defibrillators and their equipment
Insulin pumps
ventilators
Infusion pumps
Patient monitors
As an output, the BSI concludes:
A total of more than 150 vulnerabilities were reported to manufacturers as part of the project. The inspection revealed that the vulnerabilities were often to be found in the accompanying infrastructure but rarely in medical devices. [...] It is pointed out that the output of the IT security tests may have been distorted or influenced. As manufacturers' participation in the project was voluntary, it was expected that those manufacturers with a certain level of maturity in their IT security processes would most likely cooperate.
The security assessments also showed that the IT security situation varies greatly from manufacturer to manufacturer and depends heavily on the maturity level of the individual manufacturer.
BSI
Manufacturers should benefit from these documents and
review whether their own devices are affected by the same defect;
take this document into account in their post-market surveillance;
review the recommended measures for avoiding vulnerabilities to determine whether they are applicable in their own company ("Preventive Action");
adopt the methods used to detect vulnerabilities in your arsenal if necessary. The BSI even lists methods for reviewing apps and web-based systems, although these were not the focus of the study.
BSI: eCare digitalization in the care sector
The BSI's evaluation is an exciting read. Even the market overview is helpful. The networked systems range from home emergency call systems to smart beds, sleep monitoring, and networked heated blankets.
The output is a bit disappointing:
In summary, considering the high need for health data protection, the IT security level found can be rated as poor to very poor. This can be explained, among other things, by the fact that moderate to severe vulnerabilities were uncovered in all the devices examined. It should also be noted that the depth of testing [...] can be described as low and by no means corresponds to complete penetration tests or a security evaluation.
BSI: ""eCare - Digitalization in care. Current market analysis and IT security assessment."
At the very least, the devices are suitable as poor role models and give manufacturers an idea of
how the BSI investigates when it only carries out superficial checks
what minimum requirements the BSI sets,
which errors manufacturers must not make under any circumstances.
b) Health insurance providers
In several blogs, I have expressed my concern that it is only a matter of time until hospitals and chains of clinics are blackmailed by data thieves, too. Unfortunately, I forgot one major participant of the healthcare system open to blackmail: health insurance providers. This has happened now, as reported by Süddeutsche and Spiegel [7].
c) Hospitals
Cyberattacks
IT security in healthcare is increasingly exposed to threats since hackers have realized the value of data [9].
Often, hospitals are not the targeted victims of cyber attacks. Rather, their badly maintained IT infrastructure with outdated and unpatched operating systems are as helpless as an open barn door in the face of attackers.
In February 2016, computer virus Locky crippled several clinics in North Rhine-Westphalia. For example, rp-online, WAZ and heise.de reported on this. One commentator wrote that not two, but 48 (!) clinics were affected. An expert from Kaspersky confirmed those weaknesses (article published in KH-IT Journal).
Those attacks are not limited to Germany. According to Inquisitr, a hospital in California had to pay millions in ransom.
In May 2017, hospitals are again targeted, especially the UK healthcare system NHS [10, 11] This time, the virus is called "Wanna Cry".
Overview of the number and causes of data breaches
Fig. 1:. The number of breaches has been rising continuously for years. At the beginning of October 2019, the number of incidents had almost reached the previous year's level.
The authority has also investigated the types of attacks:
Fig. 2: One third of breaches are caused by hacking. (Data: January 2017 to October 2019)
Data leaks due to hacking have increased continuously:
Fig. 3: The number of breaches caused by "hacking/IT incidents" has continuously increased over the years. On the other hand, there are fewer classic thefts. (Data: January 2009 to May 2019)
Nevertheless, it must be clear that many of the healthcare sector's IT security problems are not due to malicious attacks from outside. Rather, negligence on the part of hospitals and medical practices causes data to be "leaked." In September 2019, for example, millions of radiology image data were unprotected online [source].
Government agencies
It's not just conspiracy theorists who are venting about what the NSA is using or can use because healthcare IT security has so many gaps.
The NSA is also partly to blame for the Wanna Cry attacks: it had recognized the security gap in Windows and exploited it for intelligence activities. It had not even reported the vulnerability to Microsoft when the spying tools were reported.
d) Threats
The ECRI Institute has compiled the greatest hazards for patients in the document Top 10 Health Technology Hazards for 2018. This includes several hazards that affect IT security (highlighted in bold).
Ransomware and Other Cybersecurity Threats to Healthcare Delivery Can Endanger Patients
Endoscope Reprocessing Failures Continue to Expose Patients to Infection Risk
Mattresses and Covers May Be Infected by Body Fluids and Microbiological Contaminants
Missed Alarms May Result from Inappropriately Configured Secondary Notification Devices and Systems
Improper Cleaning May Cause Device Malfunctions, Equipment Failures, and Potential for Patient Injury
Unholstered Electrosurgical Active Electrodes Can Lead to Patient Burns
Inadequate Use of Digital Imaging Tools May Lead to Unnecessary Radiation Exposure
Workarounds Can Negate the Safety Advantages of Bar-Coded Medication Administration Systems
Flaws in Medical Device Networking Can Lead to Delayed or Inappropriate Care
Slow Adoption of Safer Enteral Feeding Connectors Leaves Patients at Risk
Don't leave the safety of your patients to chance
Play it safe with a pentest from the Johner Institute!
Please refer to the IT security guidelines published by the Johner Institute, TÜV Süd, and other notified bodies. They provide step-by-step instructions for ensuring IT security throughout the product life cycle.
The Johner Institut team helps manufacturers introduce ISO 27001-compliant information security management systems (ISMS) quickly and effectively. If you are interested, contact the Johner Institut, e.g., via the contact form. In a non-binding discussion, you will learn how the introduction of an ISMS works, how long it takes, and what costs are involved.
Update
2023-02-17: HIPAA requirements linked
2022-12: New legal requirements added
2022-09: Notes on the EU Cyber Resilience Act and the ISO 27000 family added
2022-06: Section with legal requirements supplemented by draft of the new FDA Guidance Document and IEC 80001-5-1
2022-02: Notes on requirements for IT security in the Radio Equipment Directive (RED) added
2021-02: BSI publications added to section 3.a); the large number of regulatory requirements in section 2.a) better organized with subheadings
These cookies are needed to let the basic page functionallity work correctly.
Show Cookie Informationen
Hide Cookie Information
SERVERID
Provide load balancing functionality.
Provider
:
SERVERID
Cookiename
:
SERVERID
PHPSESSID
Provides functions across pages.
Provider
:
PHPSESSID
Cookiename
:
PHPSESSID
Hubspot Forms
Used for the google recaptcha verification for online forms.
Provider
:
Hubspot
Cookiename
:
_GRECAPTCHA
Runtime
:
183
Privacy source url
:
https://policies.google.com/privacy?hl=en&fg=1
Host
:
js.hsforms.net
Cookies for Statistics
Statistic cookies anonymize your data and use it. These information will help us to learn, how the users are using our website.
Show Cookie Informationen
Hide Cookie Information
Google Analytics
Tracking and analys of traffic on our websites.
Provider
:
Google Inc.
Cookiename
:
ga_*, gi_*, gat_gtag_*
Runtime
:
365
Privacy source url
:
https://policies.google.com/privacy
Host
:
google.com
Matomo
Tracking and analys of traffic on our websites.
Provider
:
Matomo
Cookiename
:
pk_ses*, pk_id*
Privacy source url
:
https://matomo.org/privacy-policy/
Cookies for Marketing
Marketing cookies from thrid parties will be used to show personal advertisment. They use them to track users outside of their own web page.
Show Cookie Informationen
Hide Cookie Information
Hubspot
Keeping track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
It contains an opaque GUID to represent the current visitor.
It also introduces cookies from linked in for marketing reasons.
Content for Videoplatforms und Social Media Platforms will be disabled automaticly. To see content from external sources, you need to enable it in the cookie settings.
Show Cookie Informationen
Hide Cookie Information
Google Maps
Used to display google maps on our Websites. Google uses cookies to identify and track users.