Cybersecurity for medical devices
June 2025
Imagine a severely injured patient being rushed into the emergency department of a major university hospital. Every minute counts, but life-saving treatment is delayed. The reason? A cyberattack has disrupted the hospital’s IT systems, and the medical devices are not functioning properly.
Doesn’t it sound like something out of a thriller? Unfortunately, it's not. This exact scenario occurred in September 2020 at the University Hospital of Düsseldorf. A ransomware attack severely damaged the hospital’s IT infrastructure. The attackers exploited a software vulnerability to encrypt the entire network and demanded a ransom. The result: major disruptions in hospital operations, closure of the emergency room, and transfer of patients to other hospitals.
According to the German Federal Office for Information Security (BSI), nearly 70 new software vulnerabilities were reported daily in 2023. And as the number of vulnerabilities increase, so does the potential damage: about one in six is classified as critical.
Development errors cannot be fixed by software alone
Digital progress has not stopped at medical devices. Along with potential risks, it offers many opportunities for enhanced functionality for patients and improved usability for healthcare professionals. The growing emphasis on cybersecurity in medical devices is also reflected in regulatory standards. For example, in the MDCG 2019-16 “Guidance on Cybersecurity for medical devices” from 2019. In addition, IEC 81001-5-1 “Health software and health IT systems safety, effectiveness and security” may be applicable, with harmonization planned for both medical devices and IVDs. Currently, the implementation of IEC 81001-5-1 is not yet mandatory for manufacturers.
What does that mean for medical device manufacturers?
The ransomware attack on the University Hospital of Düsseldorf is a striking example of how the performance of a medical device can be compromised. But data security must also not be overlooked. Damage doesn’t only occur when a product fails or a patient is harmed, but it also occurs when sensitive information, such as patient records or analysis results, is stolen.
Therefore, the task is clear: a medical device must be protected against external interference that could cause it to malfunction or become non-functional. Furthermore, any data transmitted must remain secure and intact at all times. This means that risk management be closely coordinated with IT security experts and must begin as early as the development planning phase. After all, development errors cannot be fixed by software alone!
Post-market surveillance must also be expanded to monitor all potential security vulnerabilities that could impact the product. Manufacturers need to consider several critical questions:
- What impact do security updates from the operating system provider have on the product and its security features?
- What if the operating system is no longer supported and updated with security updates?
- To what extent must the system be protected against intentional tampering by users?
Even if all precautions are taken, how can you protect your product if the healthcare facility itself has security gaps? As part of the risk management, manufacturers must consider the environment in which the medical device will be used. A device operated in a home Wi-Fi network is exposed to different attack vectors than one used in a hospital with a secure cloud infrastructure.
Therefore, the guiding principle is: identify all conceivable security risks, assess them, eliminate them where possible, and communicate any residual risks.
Important to note: Security risks can directly impact patient safety. We can help you effectively integrate risk management and cybersecurity processes to achieve a high level of security with less effort.
As with all medical devices, the work doesn’t end with development and market launch.
This is especially true for products that include software. A robust maintenance cycle is essential to address newly discovered vulnerabilities promptly.
IEC 81001-5-1 supports planning across all lifecycle phases. Based on the framework of IEC 62304, it outlines activities throughout the entire product lifecycle, with a strong focus on cybersecurity. Particularly valuable are the methods and procedures for security risk management, which are detailed in Annexes A to C.
A methodical approach to identifying and managing security threats might follow these key steps:
- Identify protectable assets: Depending on the product and its use, protectable assets may include patient data with current diagnoses, data integrity, system availability, or configuration data.
- Identify the operating environment: Refer to the intended purpose and use environment. Is the device used in a secure setting (e.g., hospital information system) or an insecure one (e.g., a home-use medical app)? This will also determine who has access to the product and through what means.
- Identify interfaces: What physical or software interfaces does the device have? Don’t overlook development or service interfaces that remain on the device. Interfaces can also serve as security barriers—for example, opting for wired data transfer instead of wireless communication can reduce risk.
- Identify Attack Vectors: Use methods like STRIDE or OWASP to systematically identify potential attack scenarios.
The outcomes must then be processed similarly to risk management as defined in ISO 14971.
The MDCG 2019-16 guidance document (specifically the lifecycle stages) provides excellent approaches for achieving secure design of medical devices throughout their entire lifecycle:
"Secure by Design"
To implement a robust security system, eight essential aspects that must be addressed throughout a product’s lifecycle:
- Security management:
Ensure all necessary security-related activities are properly planned, documented, and executed throughout the entire lifecycle. - Specification of security requirements:
Identify all necessary requirements to ensure confidentiality, integrity, and availability of data, function and service. - Security by Design:
Prevent security risks during product development. Cybersecurity must be explicitly integrated into the development process. - Secure implementation:
Define processes for securely implementing product improvements. - Security verification and validation:
Document all relevant testing to ensure security requirements are met and that the product is secure when used as intended. - Handling security issues / fault management:
Ensure processes are in place to manage and respond to security-related issues. - Security updates:
Establish processes to test, address, and promptly deliver security patches and updates to users. - Security policies:
Provide clear documentation and user guidelines for integration, configuration, and maintenance of security standards.
Only a combination of all aspects, aiming to build a comprehensive security system, can ensure that a product is protected against external threats.
Thinking Beyond the Obvious
If you want to match or even surpass your competitors, you must face this challenge. You’re ready, but feeling overwhelmed? Are terms like threats, STRIDE, or defense-in-depth unfamiliar territory?
We’re here to guide you through it. Our experts can help you understand and navigate the necessary requirements to protect your product—and your company—against unauthorized interference. Partner with us to confidently navigate the path to secure medical devices.
Unser Newsletter „qonzentrat“
kompakt, professionell und präzise
Profitieren Sie von unserem Fachwissen.
Jetzt anmelden
