top of page

Medical Device Cybersecurity

디지털 태블릿을 사용하여 의사

CYBERSECURITY

Medical Device CYBERSECURITY

보안실

GRC Cybersecurity Testing

Penetration Test

  GRC provides extensive penetration testing services to evaluate the resilience 

  of systems against attacks and unauthorized access.

Gap Analysis

  Additionally, GRC can support global manufacturers by

  ensuring that their products comply with specific standards or guidelines

  required by regulatory bodies.

What is MEDICAL DEVICE CYBERSECURITY?

Cybersecurity for medical devices is vital for protecting both the data

and lives of patients, as well as safeguarding medical institutions

from ransomware attacks. WIth the evloution of medical devices

and their connectivity, cyberthreats have continued to evolve

in tandem, creating new risks.

CYBERSECURITY FOR MEDICAL DEVICES

Why is CYBERSECURITY for medical devices so IMPORTANT?

The risks in medical device cybersecurity are multifaceted, emphasising the need for up-to-date certifications and standards, as well as undergoing thorough cybersecurity evaluations.

Effective risk management involves enhancing life cycle processes to identiffy vulnerabilities and strengthen security through rigorous penetration testing

CYBERSECURITY RISKS AND REQUIREMENTS FOR MEDICAL DEVICES

Regulatory requirements

Medical devices are subject to stringent regulations by bodies such as the FDA in the United States, the EMA in Europe, NMPA in China, and other regional regulatory agencies. These regulations require adherence to specific cybersecurity standards and guidelines to ensure devices are safe from hacking and other cyber threats. Non-compliance can result in severe penalties, recalls, or bans.

Patient safety

Cybersecurity flaws in medical devices can directly jeopardise patient safety. If a device such as a pacemaker or insulin pump is breached, it could malfunction, delivering incorrect treatment doses or failing at critical moments.

Privacy and Disruptions

Since medical devices often store and transmit sensitive health information, a security breach can expose personal health records, leading to identity theft and loss of patient confidentiality. This is a typical risk in ransomware attacks, where malicious actors encrypt critical data and demand a ransom to unlock it. Such attacks not only compromise patient privacy but also disrupt the essential operations of healthcare systems, underscoring the critical need for robust cybersecurity measures.

CYBERSECURITY MEDICAL DEVICES STANDARDS AND GUIDELINES

Medical Device CYBERSECURITY regulation

Given the risks involved, medical device cybersecurity is tested against stringent international and national standards. Regulatory bodies around the world have published guidelines concerning the regulation of medical device cybersecurity and outline the tests that they need to undergo to reach markets. At GRC, we can support you with the following standards:

Medical Device CYBERSECURITY Guidance

  • MDCG 2019-16 EU Guidance on Medical Device Cybersecurity:

      Ensuring the integrity and confidentiality of medical device data

      across the European market.

  • USA / FDA Guidance on Cybersecurity in Medical Devices

       Quality System Considerations and Content of Premarket

       Submissions: Guidelines for incorporating cybersecurity measures

       from design to deployment within the U.S. regulatory framework.

  • IEC TR 60601-4-5 Standard for Medical Device Cybersecurity:

       A technical roadmap for implementing global cybersecurity

       standards in medical devices.

  • IEC 81001-5-1 Standard for Health Software and Heath IT Systems Security Activities in the Product Life Cycle:

       Strategies for maintaining cybersecurity throughout the device's

       operational life, applicable worldwide.

FDA Cybersecurity Testing

The cybersecurity testing required by the FDA is designed to ensure medical devices security and effectiveness. This includes various phases:

Security Requirements (to be performed by the manufacturer):

  • The manufacturer must provide evidence that during the design phase of their product, the security requirements defined during the threat modelling have been implemented.

  • The manufacturer must provide evidence on how these security requirements have been correctly implemented, and an analysis and justification of boundary assumptions.

Threat Mitigation (to be performed by the manufacturer):

  • The manufacturer must provide evidence demonstrating effective risk control measures based on provided threat models.

  • The manufacturer must provide evidence on how to verify that each cybersecurity risk control is adequate (e.g. the effectiveness of security in enforcing the specified security policy, performance under peak traffic conditions, stability, and reliability).

Vulnerability Testing (to be performed by the manufacturer or independent 3rd party):

The manufacturer or a third party must provide details and evidence of the following testing and analyses:

  • Robustness.

  • Fuzz testing.

  • Static and dynamic code analysis.

  • Attack surface analysis.

  • Closed box testing of known vulnerability scanning.

  • Software composition analysis of binary executable files.

Penetration Testing (to be performed by an independent 3rd party):

An independent 3rd party must provide identification and characterization of security issues through tests focusing on discovering and exploiting security vulnerabilities.

Penetration test reports should include the following elements:

  • Independence and technical expertise of testers.

  • Scope and duration of tests.

  • Testing methods.

  • Results.

  • Findings observations.

Why choose GRC for CYBERSECURITY for Medical devices?

Penetration Testing

GRC offers extensive penetration testing services to assess the resilience of systems against attacks and unauthorised access. By performing cyberattack simulations, we evaluate vulnerabilities in medical devices across various components:

On Hardware

State-of-the-art attacks and ad-hoc tools made by lab experts:

  • Reverse Engineering

  • Design Review

  • Logical Attacks

  • Storage extraction and external analysis

On Software & Firmware

Strong background in embedded systems, secure boot, TEE and white box crypto:

  • Binary Reverse Engineering

  • Static Attacks

  • Source Code Audits

  • Debugging

  • Fuzzing

  • Dynamic Tamper / Hooking

On Communication Protocols

For IP stack protocols, industrial systems and proprietary protocols:

  • All layer attack (OSI Model) including customised HW to stimulate at lower layers (wired & wireless protocols)

  • Fuzzing

Our expertise in cybersecurity further enhances the security measures we recommend. Penetration testing activities conducted in our expert lab not only help to strengthen product cyber resilience but also serve as proof of compliance with cybersecurity requirements mandated by regulatory bodies worldwide, such as the FDA in the USA.

Gap Analysis

Our teams can also support manufacturers worldwide by verifying if their products comply with specific standards or guidelines requested by regulatory bodies.

GRC, we review the documentation generated by the manufacturer to determine if it meets the specific standard, identifying any gaps or potential challenges. During this phase, the GRC team will analyse, guide, and support the manufacturer in preparing the required documentation before submission to the regulatory body.

Example: For FDA Cybersecurity Testing, the GRC team offers an optional service to review the manufacturer's documentation prior to premarket submission, focusing on 1) Security Requirements, 2) Threat Mitigation and 3) Vulnerability Testing, analysing, among other things, the defined security requirements and whether they align with the security issues identified in the threat modelling, as well as the defined hypotheses, the suitability of the vulnerability testing, etc.

Project and Products Experience

SaMD : Software as a Medical Device

  • Picture Archiving and Communication Systems

  • Surgery Planning Software

  • Surgery Navigation System Software

  • Radiation Therapy Planning System

  • Pelvic Floor Assessment Training Software

  • IVD Data Interpretation Software

  • Mobile APPs of Medical Device

  • Amongst others

SiMD : Software in a Medical Device

  • Medical Imaging Systems(X-Ray, CT, MR etc.)

  • Automated External Defibrillator (AED)

  • Endoscopic Video System

  • Ambulatory Electroencephalogram (EEG) Machine

  • Electrocardiogram (ECG) Machine

  • Laser Scalpel

  • Laser Therapy Device

  • Amongst Others

Contact to:

Soon Heung Jang (070-8709-9254)

bottom of page