22nd February 2017 - IET Birmingham

Join us for this masterclass in Information Security in healthcare applications and medical devices.

specialists in medical device software, connected devices and cybersecurity.


Cyber Security in MEDICAL DEVICEs

The continual flow of Cyber Security breaches in the mainstream news has highlighted the degree of vulnerability that exists to this type of attack and the consequences of security failures. Whilst these attacks may cause embarrassment, inconvenience and have serious financial implications, medical devices - by their very nature - have the capacity to cause harm, either directly (as in the case of an infusion pump, for example) or indirectly (through an incorrect diagnosis). Like any other computer system, medical devices are vulnerable to security threats and this has the potential to affect the safety and effectiveness of the device. The trend of making devices more connected - to the Internet, hospital networks, and to other medical devices – increases this vulnerability.

What Are The Threats

The threats can be considered to fall into two groups. Firstly, an attacker may take control of one or more devices with the deliberate intent of harming a patient. Motives for this could range from “ransomware”, i.e. organised criminals aiming to blackmail healthcare providers or device manufacturers, a new form of terrorist attack, industrial sabotage or simply an individual with the intent to cause harm for whatever reason he or she might have (In Australia, 49-year-old Vitek Boden conducted a series of electronic attacks on the Maroochy Shire sewage control system after a job application he had made was rejected by the area's Council – he was able to take control of the sewage management system and caused millions of litres of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel. He is currently serving a two year jail sentence).

The second threat is the presence of some unauthorised program – which could be a virus, worm or any other program that compromises the effectiveness or safety of a medical device. Here the intent might not be to cause harm to a patient, but it might lead to that all the same.


Dealing with these security issues is something the medical device industry is late to address, particularly when compared with the commercial world, and perhaps for good reasons – patching an operating system may well invalidate extensive software validation efforts and lead to increased costs. However, in the commercial world preventing an attack might be considered successful if the attacker’s intent is blocked, even if the program under attack is prevented from performing its intended function. In the case of a medical device, such as an infusion pump, this might not be the case. So the need for effective (and cost-effective) strategies for dealing with security threats is critical.


There will be no one single answer to this problem, but effective strategies will fall into two broad areas: prevention and detection. Prevention strategies will aim to build robust and secure systems that are extremely difficult to penetrate. Detection strategies will include ongoing monitoring to detect the presence of malicious code, either directly or indirectly (e.g. through the side effects of its presence), or to detect if any unauthorised control of a device has been achieved.


Information Security Management System (ISMS) and the importance in protecting critical business processes.

It can be difficult to know where to begin when considering the issue of Cyber Security. At this point, it is imperative that we turn to international standards for guidance because they are the consensus amongst industry experts on what constitutes best practice.
The information standard, ISO 27001 tells us that starting with an ISMS is the most effective way to begin to protect our business and its information.
The ISMS provides protection from major failures of information systems and information security incidents. Implementing an ISMS also allows for operations to resume in a swift manner when security lapses occur.
It is not unusual for companies to be put off implementing an ISMS due to potential costs and a lack of understanding of its relevance. It’s also common for companies to believe that they already have certain operations in place for potential cyber-attacks and lapses in security.
Who is it relevant to?
An ISMS is relevant to all organisations regardless of whether they utilise stand-alone computers or complex heterogenic network systems.
The advantages of encompassing and ISO 27001 are significant and here are some of the key elements:
1. Implementing an ISMS provides procedures to not only consider antivirus software but also encompass processes, people and the IT systems themselves.
2. Compliance is a key issue when considering an ISMS. Compliance will often provide the quickest ‘return on investment’. The ISO 27001 standard allows for companies/organisations to incorporate methodology regarding data protection, privacy and IT governance. Naturally, this is particularly an issue within health organisations.
3. It allows for greater credibility with staff, clients and partner organisations. It may provide a marketing edge in a competitive market that is likely to instil confidence in clients and investors.
4. A short term cost can lead to a long term gain. Investing in implementing an ISMS will provide more robust protection and minimise risk of suffering much greater costs.
5. An ISO 27001 compliant ISMS provides a structured framework for organising roles and responsibilities. Implementing an ISMS ensures that responsibilities and duties are defined quite clearly and this naturally creates a better informed and capable workforce.
6. It protects all types of information, e.g. email, verbal information, written data.

In the medical devices sector, there is a potential for harm to patients and operators and this introduces a new dimension to information security. Risk Management in medical devices seeks to minimise risk of harm to patients and personnel. Where hazardous situations can be caused by information security breaches, either through data integrity corruption or from lack of availability of data when it is needed, then an ISMS is the best mitigation because it provides a systematic approach to the management of information security.


  • Vulnerability Analysis
  • Penetration Testing 
  • Threat Analysis & Risk Treatment 
  • Information Security Management System (ISMS) development
  • Malware Analysis
  • Security Awareness Training & Advanced Security Training
  • Software architecture and design