In its ongoing effort to monitor the cyber security of medical devices and work towards improvements in this field, the BSI called for proposals in several healthcare-related projects last year. The BSI's first step in these endeavours was to take an extensive look at the market in question. Corresponding devices were then selected for subsequent technical security tests. Once these projects are complete, the BSI plans to publish their results in close cooperation with the respective manufacturers and various security analysts.

The BSI has a strong interest in testing current devices that can be expected to remain available on the market for some time, include a large number of interfaces, and can also be used in a networked manner in operational settings. For this reason, its projects are prioritizing the currentness and interconnectivity of devices in determining which will be considered. This is, after all, the only way to guarantee a realistic assessment of the current technical security of devices used in the field of medicine.

Working closely with manufacturers and security analysts and making a common effort to address vulnerabilities is especially important to the BSI, which hopes to use such projects as opportunities to build and maintain trust. Along with the BSI's relationships with manufacturers and analysts, this naturally also applies to all the other individuals and organisations involved in these projects, such as supervisory authorities and specialist users.

CyberPraxMed

Doctor's offices are essential for handling sensitive medical data and connected to the German healthcare network. However, so far there has been done little research on the security situation of their IT infrastructure. To improve the resilience in health care and effectively enhance the cyber security the Federal Office for Information Security (BSI) performed a study called CyberPraxMed and evaluated data from a survey of 16 selected doctor's offices. In focus of the survey were network structure, personal aspects of the staff and possibly existing security precautions. The offices were selected by the doctor's specialty, the staff's count and the geographical position in Germany.

As result, a report CyberPraxMed Abschlussbericht was written. It includes the evaluation of the vulnerabilities found and in addition, a short guide of recommendations that allows doctors to harden their offices against cyber-attacks with the least possible afford.

ManiMed

The BSI project ManiMed ("Manipulation of Medical Devices") recently focused on examining and analysing the technical security aspects of various network-enabled medical devices. It inspected the technical cyber-security features of medical devices from five defined classes:

• Implantable pacemakers and cardioverter-defibrillators (ICDs), including their programming units and accessories
• Ventilators
• Patient monitors
• Insulin pumps
• Syringe pumps

The ManiMed project started in early 2019.

eCare

Another recent project, eCare -- Digitisation in Care, sought to examine the technical security aspects of network-enabled devices used in caring for the elderly. Rather than focusing on conventional medical devices like insulin pumps or patient monitors, it dealt mainly with IoT products such as network-enabled beds, smart tableware, reminder services, and at-home emergency call systems. Such products are meant to improve the ability of people with chronic illnesses or care needs to manage their everyday lives.

The ManiMed project started in early 2019.

All related reports and publications can be accessed via the links below.