Medical Device Security - Learnings From Countless Security Assessments

Over the last few years, I have been part of many security assessments for medical devices and their accessories. These assessments allowed me to get unique insights into the medical device industry and its relationship with IT security. In this talk, I will discuss these insights and come up with tangible learnings that the industry can apply to enhance the IT security of medical devices.

The talk will start with an overview of the types of vulnerabilities that were discovered during the assessments. In particular, I will show which of these types were most prevalent during the assessments. This analysis is enriched with restrictions and difficulties encountered that hardly impact the design of active medical device ecosystems and infrastructures. Then, I will provide practical measures that medical device vendors can apply to prevent such vulnerabilities.

Afterward, I will focus on the accompanying vulnerability disclosure processes we encountered as part of assessments or from research performed, such as in the ManiMed project of the Federal Office for Information Security (BSI). Here, I will discuss bad and good examples to show what an adequate disclosure process should look like ultimately.

In the last part of my talk, I will present the current legal and regulatory requirements that medical devices must adhere to. As these requirements focus primarily on the safety of patients, I will discuss how these requirements often may not lead to an optimal security posture. This will be further reinforced with examples coming from the assessments.