The medical world in the age of cybersecurity

We were delighted to participate in the 2018 BlackAlps conferences in Yverdon at the beginning of November. In addition to many trendy cybersecurity-related topics such as quantum computing and cryptocurrencies, the BlackAlps team decided this year to organize a special event focused on medical devices.

Based on several talks and a panel discussion between experts from both medical and cybersecurity worlds, a clear statement emerged from this event: The lack of pragmatic approach and regulations surrounding the field of cybersecurity in the medical domain represents a major risk and this subject must be taken into consideration as soon as possible.

Indeed, with the ever-increasing interconnection of medical devices, cybersecurity plays an even bigger role in ensuring safety, effectiveness, and data privacy. The Medical Device Regulation (MDR), which entered into force in May 2017, contains explicit essential requirements regarding cybersecurity for medical devices. However, there has been no harmonised standard applicable to this until now.
Based on numerous testimonies and discussions between specialists, the requirements of the medical field are very similar to those of the industrial world of automation.

The IEC 62443 series of standards benefits from the fact that it understands and deals with cybersecurity holistically with regard to the aspects of “persons – processes – technology” and that the underlying role model of IEC 62443 (from the asset owner / operator via the “integrator” up to the product supplier and its development processes) can be well mapped to corresponding roles and dependencies in the medical field, e.g. between hospital operators, physicians, IT/network integrators, and medical device manufacturers (see Figure 1).

Figure 1: Example of scope of IACS product lifecycle (interpreted from ISA/IEC-62443-2-4)

The IEC 62443 standards are therefore increasingly recommended by the FDA, the BSI and similar organizations for the medical sector. However, the application of the IEC 62443 standards in the field of medical engineering is by no means free from difficulties, especially regarding the used terminologies and references to industrial systems.

We, at CertX, strongly believe in the approach pushed by IEC 62443 set of standards for its use in the medical domain. In this perspective, CertX continuously develop its cybersecurity services and currently offers:

  • Trainings to introduce/improve the cybersecurity awareness for medical company
  • Gap analysis / Threat modelling to evaluate the cybersecurity state of your product / System / infrastructure against best practices and applicable standards
  • Certification regarding the compliance of your process/product/System against ISA/IEC 62443 standards

We encourage you to contact us for more information about theses domains and potentially identify new opportunities to improve your secure long-term business efficiency.