As secuview readers know, cybersecurity is one of the major challenges of increasing networking. This can be seen very clearly in the healthcare sector: The Internet of Medical Things (IoMT) is developing at a rapid pace, while at the same time healthcare is one of the industries with particularly high risks. If IT fails, the health of patients is at stake. Media reports about ransomware attacks on hospitals have become more frequent in recent years. These attacks do not even have to be targeted at specific institutions: If mass-spread malware enters a hospital's IT infrastructure, it can disrupt or even paralyze medical care in the worst case. Another scenario has become increasingly common since the COVID-19 pandemic: patients are discharged from hospital at an early stage because they can recover better at home, have their families around them and are also less likely to get infections. Furthermore, medical resources are spared, which was particularly important during the pandemic. In the UK, the term "Hospital at Home" was coined to describe this. Patients are provided with monitoring devices for use in their home, which then continuously monitor their health status and send it to the medical facility. In this remote monitoring scenario, cybersecurity is extremely important: on the one hand for data protection reasons, and on the other hand the monitoring equipment must not be compromised and subsequently fail or deliver incorrect data. The Hospital at Home therefore brings great advantages, but also risks, and the latter are primarily to do with cybersecurity.
In principle, the same concepts that are also effective in other sectors can help: multi-level security in the sense of "defense in depth" and, above all, the inclusion of cybersecurity aspects in product development, i.e. "security by design". This also relieves the burden on patients: Remote monitoring is often used with patients who are members of an older generation, who cannot be assumed to be well versed in IT. This can be problematic if, for example, security depends on the correct operation of the devices or on security measures that users have to take. In addition, elderly, sick people tend to be more vulnerable to certain forms of attack such as social engineering. It is therefore ethical to relieve users of responsibility for IT security. This can be achieved if the technology itself is well protected.
We will only achieve security by design if cybersecurity is part of the approval processes to which medical technology products are subject. This is essentially the current situation, but there is a problem: traditionally, the processes take quite a long time, and this no longer fits in with the rapid innovation cycles of modern digital technology. The testing processes must therefore be accelerated, and they must also take new developments and approaches into account and be geared towards real-life application scenarios. This is precisely what the European Commission wants to tackle as part of its "Horizon Europe" program. Medical technology is not only regulated at national level, but also at EU level, which is why the initiative came from there.
Exactly, the EU is funding the project which has linked an extensive catalog of research tasks in it. In the CYMEDSEC consortium, we are working together on these tasks. The project partners are universities and other research institutions, medical facilities, authorities and technology companies from various EU countries and Switzerland. For the most part, these are organizations that have already worked well together in the past. I am very pleased with the composition of the consortium.
First of all, we want to analyze how medical technology regulation is currently set up at European level, how it should be set up and where there are currently gaps – also in comparison to regulation at national level, within and outside the EU, as well as to general cybersecurity regulations such as the "Network and Information Security" directive NIS-2. Another aspect is the comparison with current regulations relating to medicinal products and medical devices: How are benefits and side effects balanced in these areas, and can this be transferred to networked medical technology? The premise behind this is that certain risks are acceptable in order to be able to exploit the benefits, while others are not – similar to medication. We also look at how networked devices are operated, the typical vulnerabilities that arise, what attack models exist and how security can be increased. Finally, we turn our attention to the next generation of medical technology: what needs to be considered in terms of security when patients procure IoMT devices themselves or even when their smartphones are used for IoMT communication?
Absolutely, from a technical point of view, smartphones have all the capabilities required for IoMT networking. From an information security perspective, however, it is not quite so simple: if a smartphone is to process and send both private and medical data, special security measures must be put in place. Separate security layers at hardware and software level can ensure that the monitoring data is protected against unauthorized access. We are working closely with secunet and the Barkhausen Institute, which is also a project partner, to develop appropriate concepts. The smartphone scenario also assumes that the remote monitoring app is installed correctly, that updates are carried out regularly, etc. It must be borne in mind that this is a situation where an IT issue meets a predominantly older patient population.
That depends on how many patients use the service. Let's assume that a cyberattack, whether targeted or not, completely paralyzes the system. If we are still in the test phase with only a few users, the consequences can probably be mitigated well. But if several thousand patients use the service at a later stage, the consequences could be very serious. In an article that will be published in the high-profile scientific journal, “Nature Portfolio Journals: npj Digital Medicine" in spring 2024, we play out precisely this scenario, namely we explore the chain of events and consequences in a fictitious security failure scenario of a remote monitoring system with a very large number of patients. There are approaches that could minimize the consequences of such an incident, for example, having reserve personnel resources for medical care at home who can take over in an emergency. This removes, however, many efficient benefits of remote care. For this reason medical technology must be designed to be so secure from the outset, where used in critical infrastructure and new home care strategies, such that emergencies do not occur at all or only very rarely. Investments are required for both redundancy in personnel planning and security by design.
The project will run for four years. In my view, there are enough starting points for research to continue after that. For example, we are currently concentrating on monitoring technology when looking at the "Hospital at Home" concept. However, there is also technology that is used at home for therapeutic purposes. With such devices, the risks of cyberattacks are even higher, as the physical safety of patients could be directly jeopardized in the event of manipulation or malfunction. I can imagine that research will also go in this direction in the future. At the moment, however, we are very busy with the current research mandate.
Since 2022, Prof. Stephen Gilbert has been filling the Else Kröner Professorship for Medical Device Regulatory Science at the EKFZ for Digital Health at TUD Dresden University of Technology. For the first time in Germany, a medical faculty is conducting research into how innovative medical devices can reach patient care more quickly.
Gilbert received his PhD in computational biology from the University of Leeds. He was a researcher in cell physiology, specializing in clinical evaluation and testing of medical products and the underlying regulatory requirements and implementation. Since May 2019 he was Clinical Evaluation Director in the medical department of Ada Health in Berlin and from 2017 – 2019 Clinical Evaluation Manager at BIOTRONIK in the regulatory department.
secunet is a partner of the CYMEDSEC project and makes an important contribution to the development of methods and solutions for secure medical technology. The company also shares its expertise in the development of security solutions in regulated areas.
For more information, please click here.
Do you have any questions or comments about this article? Then contact us using the contact form on the right.
secuview is the online magazine of secunet, Germany's leading cybersecurity company. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.