IT security (also known as information security) refers to the capability of IT systems (and the associated organizations) to ensure the confidentiality, availability, and integrity of systems and data.
Content
This page provides an overview and links to relevant articles on the following topics:
The acronym CIA makes it easy to remember the objectives of IT security:
Other objectives are sometimes added to this list:
Safety plays a vital role in the healthcare sector. Its objective is to avoid (physical) harm to patients, users, and third parties.
Please note the article on IT security in healthcare, which deals with the special challenges and regulatory requirements for IT security in healthcare and medical technology.
In Europe, the following laws, among others, must be observed:
Additionally, the standard IEC 81001-5-1 is about to be harmonized.
In the USA, for example, the following are relevant
Another article takes a look at security patches from a regulatory perspective, another at the role of the Software Bill of Materials SBOM.
The thoughts on IT security for legacy devices are helpful.
The Johner Institute’s guide to IT security serves as a checklist for manufacturers. The requirements are easy to check because they are organized according to the software life-cycle and formulated as binary answerable criteria.
Many standards claim to formulate best practices. Manufacturers should consider these to ensure IT security aligns with the state of the art.
The standards reference methods that contribute to strengthening IT security. These are presented in the following articles:
Other articles address specific technical and organizational contexts:
Do you still have questions, for example, about IT security? Then, please take advantage of our free micro-consulting.
The Johner Institute will be happy to support you so that you can ensure the IT security of your devices and organization and avoid unnecessary trouble:
Please do not hesitate to contact us! The Johner Institute team looks forward to helping you!
The NIS-2 (Network and Information Security) Directive is a European directive (Directive (EU) 2022/2555) that sets minimum standards for cybersecurity within the EU. Does this directive also affect IVD and medical device manufacturers? If so, what does it require, and what should manufacturers do? This article provides answers. 1. What NIS-2 is about a) Objective…
DetailsLaws require risk management in hospitals, especially in order to improve patient safety. Nevertheless, many hospitals find this difficult. This article presents the most important regulatory requirements and provides tips for implementation. 1. Typical risks in a hospital a) Risks for patients The most important risks for patients include: b) Risks for all people in…
DetailsMedical device cybersecurity is a focus not only for the FDA but also for other legislators and authorities, both in the US and other markets. This is understandable The USA has added requirements for cyber devices to the Food, Drug & Cosmetic Act (FD&C), and the FDA has published several guidance documents on cybersecurity, which…
DetailsUnderstandably, laws and standards also require IT security for legacy devices. However, the way in which these requirements are formulated often leads to confusion. For example, legislators and standard committees have been unable to agree on common definitions. One definition refers to the IT security of legacy devices, another to the IT security of old…
DetailsThe cybersecurity standard IEC 81001-5-1 focuses on how IT security needs to be taken into account in the software life cycle. As a special standard for health software, it supplements IEC 82304-1 and IEC 62304 among others, and can close gaps that urgently need to be closed. The EU is currently planning to harmonize IEC…
DetailsThe Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes requirements for processing protected health data. Institutions that collect or process these data in the USA and their subcontractors must comply with HIPAA if they want to avoid sanctions. For European companies in particular, HIPAA is a regulation that is difficult to understand…
DetailsWe have known how vulnerable IT security is in the healthcare sector since February 2016, when the IT infrastructures of many clinics were brought to a standstill by a simple virus attack. As a result, the authorities are paying closer attention to ensuring that not only clinics but also manufacturers guarantee the IT security of…
DetailsThe third edition of ISO 14971 has been available since December 2019. This new version of ISO 14971 was published as ISO 14971:2019. It is an evolutionary development of ISO 14971:2007 and does not break with previous concepts. Manufacturers should familiarize themselves with the new and amended requirements of this standard. In December 2019, the…
DetailsThreat modeling is a “mandatory” topic for all manufacturers of medical devices that contain or are software. This is because threat modeling is a structured process for the systematic analysis of IT security risks that auditors consider to be the “state of the art.” 1. Why should you use threat modeling? Reason 1: To develop secure devices…
DetailsOn November 21, the Johner Institute, together with TÜV SÜD, TÜV Nord, and with the support of Dr. Heidenreich (Siemens), published a guideline on IT security specifically for medical device manufacturers. Who the IT Security Guideline is aimed at The guideline is aimed at all manufacturers of medical devices (persons placing on the market, service…
Details
Privacy Preference
We need your consent before you can continue on our website. If you are under 16 and wish to give consent to optional services, you must ask your legal guardians for permission. We use cookies and other technologies on our website. Some of them are essential, while others help us to improve this website and your experience. Personal data may be processed (e.g. IP addresses), for example for personalized ads and content or ad and content measurement. You can find more information about the use of your data in our privacy policy. You can revoke or adjust your selection at any time under Settings.
Privacy Preference
If you are under 16 and wish to give consent to optional services, you must ask your legal guardians for permission. We use cookies and other technologies on our website. Some of them are essential, while others help us to improve this website and your experience. Personal data may be processed (e.g. IP addresses), for example for personalized ads and content or ad and content measurement. You can find more information about the use of your data in our privacy policy. Here you will find an overview of all cookies used. You can give your consent to whole categories or display further information and select certain cookies.