POSTED BY: census / 24.11.2016

2nd ENISA eHealth Cyber Security workshop

CENSUS director of Product Security Services, Dr. Dimitrios Glynos gave a presentation on the topic of "Medical Device Security" at the "2nd ENISA eHealth Cyber Security" workshop held in Vienna, Austria on November 23rd 2016. ENISA is the European Union's Agency for Network and Information Security. Along with the workshop, ENISA published on the same month the "Smart Hospitals - Security and Resilience for Smart Health Service and Infrastructures" study.

Since 2014 CENSUS has been performing device security assessments to Smart Medical Devices, preparing vendors for regulatory body approval (e.g. FDA pre-market & post-market requirements) and allowing clinics to take informed decisions based on risks identified in their infrastructures.

Smart Medical Devices are medical devices which communicate with Medical Information Systems and which come with remote management, monitoring and sometimes updating capabilities. They impose a challenge to the field of medical information systems as the exploitation of their increased attack surface may affect both patient health and clinical services. Although for some time now, addressing cybersecurity concerns was not a priority for vendors in the medical device field, this has started to change.

The first part of the presentation gave a brief overview of setup and software vulnerabilities, went through an example attack from a clinic waiting lounge targeting a smart infusion pump, explained the risks involved in such attacks for organizations and highlighted possible threat actors.

The second part of the presentation explained the major challenges that clinical organizations face when managing cybersecurity risks and the importance of governance and awareness training in tackling these effectively.

The third part of the presentation highlighted security best practices in the adoption of such devices, including access controls, interaction audits and data protection measures. Ideally these devices must pass three types of security audits: one during development, another one during the approval process by the certification / regulatory body and a final one, when the device is configured at a medical institution. In this way, system vulnerabilities will be dealt with early on in the development lifecycle, the general public will have the assurance that approved devices have passed testing from an independent body and finally, the actual configuration used at the medical institution will also have been reviewed from a security standpoint.

The final part of the presentation touched on the topics of information dissemination and collaboration, as security vulnerability and research disclosures on medical devices were for many years prohibited or conducted behind "closed doors". Openness will allow all stakeholders in the field to gain from the shared security intelligence and to develop more effective mitigations against cybersecurity threats.

CENSUS would like to thank the organizers for participating in this event.

Presentation material: