Cybersecurity in the healthcare sector.
The healthcare sector is facing an unprecedented wave of cyberattacks. At the end of 2023 and beginning of 2024, successful attacks on hospitals and other facilities increased massively, writes krankenhaus-it.de. In February 2024, for example, over 20 Romanian hospitals were paralysed by an attack on their central IT service provider … with serious consequences for the provision of care. Cyber criminals no longer stop at hospital doors. Networked medical technology products are also being targeted.
Medical devices and digital healthcare systems are becoming increasingly networked and therefore more susceptible to attacks. However, the dependency of patient care on these networked solutions is also increasing. The consequence is that cyber security is not an optional add-on, but must be an integral part of protecting patients and ensuring safe operation.
Regulators around the world are responding to the threat situation. In the USA, the Food and Drug Administration (FDA) now requires proof of a comprehensive cybersecurity concept for every approval of a medical device (source). The FDA even requires complete security documentation for devices that only communicate locally (e.g. via Bluetooth or USB) with other systems. Without such proof, a medical technology product no longer has a chance of obtaining market authorisation in the USA.
Legislators are also tightening the reins in Europe: The EU Cyber Resilience Act, which came into force at the end of 2024, significantly tightens the requirements for the cyber security of networked products. In future, medical technology manufacturers will have to carry out a threat analysis as early as the product design stage, derive protective measures and document everything in full. After a transitional period of 36 months, these requirements will become binding from the end of 2027; violations could result in severe penalties of up to €15 million or 2.5% of annual turnover.
In future, nothing will work without “security by design”.
Cyber security must not only be addressed as a reaction to discovered vulnerabilities. Instead of laboriously applying security patches retrospectively, the industry is focussing on systematically integrating protective measures into every phase of product development. We consistently follow this principle. For us, it’s about preventing security vulnerabilities from arising in the first place instead of having to “put out fires” later at great expense.
Which aspects of cyber security are the most critical for us? Above all, the basics that make a product secure by design. This includes strong encryption of sensitive healthcare data, rigorous access controls (authentication and authorisation for all users and interfaces) and well thought-out patch management for prompt updates. In our view, modern networked medical devices must already have these building blocks – cryptography, access management, attack detection and update capability – in their architecture. Equally important is complete technical documentation of all security measures – from the initial risk analysis to the maintenance concept – in order to fulfil MDR compliance and provide evidence to the authorities.
Flexibility is a core value of B&W: our experts adapt the safety concepts to every project environment in an agile manner instead of imposing rigid standardised solutions. In this way, security is customised ex works without slowing down the speed of innovation.
How can the cyber security of products be continuously improved? Firstly, by understanding security not as a one-off project, but as an ongoing process. New threats emerge all the time – which is why we plan to regularly review and optimise security mechanisms throughout the entire product life cycle. And even after the market launch, our vigilance does not end: through active vulnerability monitoring and established patch management, we stay on the ball when new attack vectors become known, for example
What role do external security audits play in product development? In our view, a decisive one. Experience and public sources show that external testers almost always find vulnerabilities – even in well-protected systems. That’s why we carry out several smaller audits during development wherever possible, instead of a large final test at the end.
The next big challenge is the countless networked healthcare devices …
… from wearables such as smartwatches and fitness trackers to smart diagnostic systems for the home. They collect highly sensitive health data and connect to smartphones or hospital systems. However, each of these digital assistants is a potential gateway for attacks if security is neglected. Vulnerabilities in seemingly harmless wearables can open up a new form of personalised cybercrime for criminals (source) Imagine an attacker manipulating the vital data of a patient’s wearable and thus compromising their treatment. The German Federal Office for Information Security has identified precisely such risks in a recent study. In the project, security vulnerabilities in healthcare wearables were identified, reported to the manufacturers and in some cases closed before publication.
Cybersecurity in the healthcare sector is no longer just a compliance issue. It is important for user and patient safety, market acceptance and ultimately business success. We support you as a flexible partner! We help medtech companies to implement robust security architectures by design so that digital healthcare technologies deliver what they promise!
