The State Of Medical Security

This post results from the project “MEDsec” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). The project MEDsec focusses on Cybersecurity topics for medical devices / medical services.

At some point in everyone’s life they have had to go to the doctor, and whether this has been for something small or something serious the doctor has had to use some kind of device. These devices, whether they are used for diagnosis, analysis or treatment are becoming more and more interconnected to each other and with the wider internet. Whether this is an X-Ray sharing its x-rays with an image analysis program for the doctor, a pacemaker that lets you adjust settings from an app on your phone, or even a health bracelet such as a Fitbit, the fact that medical devices are becoming more and more interconnected means that they are becoming more vulnerable to threats and threat actors in the Cyberspace. Proper Assessment, response, planning, and adaptability are key in trying to protect devices that protect us.

Throughout my research so far I have found that the governing bodies of both the United States and the European Union use a variety of institutions and practices to help address the risks throughout the lifecycle of medical devices. This lifecycle generally is addressed as follows.

  1. Planning: This is when the device is being developed and designed to start testing and figure out what the device is needed for etc.
  2. Design: This is when the device is starting to get the technical aspects of itself, engineers start to generate the documentation needed and incorporate necessary design elements.
  3. Validation: This is the phase where regulatory compliance is completed and all the necessary information and labeling is provided to all stakeholders.
  4. Launch: This is where the device is introduced into the market and training and any other actions are done.
  5. Post Market: After the device has been sold this is where the cycle of monitoring, updating, and improving the device occurs.

This summer working for COMCODE the goal is to gain an understanding of the current state of cybersecurity in regards to medical devices/services, which at first glance might seem simple however cybersecurity is never as simple as first meets the eye and medical devices constitute everything from the x-ray machine to the blood oxygen level reader to your Fitbit. All of these devices have security needs that need to be met and all are potential targets for malicious actors.

So far in my research, the main issue has been how convoluted and far-reaching the medical device field is. The fact that medical devices span so far is a cause of the cornucopia of regulations, practices, and controls that are used on various devices and why classification of devices is very open-ended and at times can be very vague and left to the manufacturer. However as my research has continued the tangle of rules, regulations, and practices has started to unravel. Shortly the solid base of a picture of the field will be ready to build my understanding upon.

Follow us for more updates on this project!

For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de

Written By: Michael Verdi '22 // Computer & Information Systems Security