IT security in the health sector: Regulation is necessary and overdue

IT security in the health sector: Regulation is necessary and overdue

Open inter­faces, outdated technology and different interests: IT security in the health sector is a complex topic, after all it is about the needs and safety of the patient. A major problem is the lack of regulation on the part of author­ities such as the Federal Institute for Drugs and Medical Technology and the Federal Office for Infor­mation Security — currently there are only recom­men­da­tions but no binding guidelines.

The Federal Office for Infor­mation Security (BSI), the Federal Institute for Drugs and Medical Devices (BfArM) and gematik are the competent author­ities for IT security of medical devices in Germany. It must be ensured that unautho­rised persons cannot use the IT in medical devices and systems against the patient and that compo­nents and systems are only open to autho­rised persons. Companies special­ising in IT security, such as SRC Security Research & Consulting GmbH from Bonn, can help here. Regulation is necessary to create security standards — although a sense of proportion is needed here. Because over-regulation can also cause damage.

Under the title “IT Security in the Healthcare Sector: Regulation is necessary and overdue” (german), the magazine “all about security” gave Randolf-Heiko Skerka, Head of IS Management at SRC Security Research & Consulting GmbH, the oppor­tunity to comment comprehensively.

If you are inter­ested, we would be pleased to hear from you.

BSI Medical and Care Products

BSI publishes study results on the security of medical products and care products

The thoughts of unsafe medical or care products is discon­certing. Especially in a sensitive area such as the health care sector, the affected person trusts in the best possible help. But especially with the advancing digital­i­sation in the healthcare sector, vulner­a­bil­ities are increas­ingly appearing in networked medical‑, IoT- and elderly care products. If such vulner­a­bil­ities are discovered or even exploited, this often poses a major problem for users and manufac­turers of these products.
The Federal Office for Infor­mation Security (BSI) therefore initiated the projects “ManiMed — Manip­u­lation of Medical Devices” and “eCare — Digiti­sation in Care” in order to be able to assess the IT security of selected products.

he studies now published by the BSI enable manufac­turers to improve the IT security features of their products. In addition, users of medical devices are informed about which IT security features could be critical. Improved IT security features strengthen the confi­dence of patients and doctors in the security of networked medical devices. In the study, a total of six products from different categories were examined in terms of IT security.

SRC played a major role in the prepa­ration of the eCare study. The study focused on networked products (both medical and IoT products) that are used in the field of care for the elderly or sick. These include, for example, devices for measuring vital data or a tablet for senior citizens. A total of six products from different categories were examined from an IT security perspective. The results of the study can be found on the BSI website for Download.

In summary, the IT security level of the products examined can be rated as poor to very poor. The results lead us to believe that none of the products examined, including their inter­faces, apps, etc., have been subjected to a profes­sional security evalu­ation, an independent penetration test or similar.