IT security

IT security (also known as information security) refers to the capability of IT systems (and the associated organizations) to ensure the confidentiality, availability, and integrity of systems and data.

1. Objectives of IT security

The acronym CIA makes it easy to remember the objectives of IT security:

• Confidentiality: Confidentiality of, e.g., personal data
• Integrity: The integrity of data and systems
• Availability: The availability of data and systems

Other objectives are sometimes added to this list:

• Accountability: The capability to attribute activities such as the modification of data and systems to a person
• Authenticity: The authenticity and trustworthiness of data and systems

Safety plays a vital role in the healthcare sector. Its objective is to avoid (physical) harm to patients, users, and third parties.

2. Regulatory requirements for IT security

In Europe, the following laws, among others, must be observed:

• EU Medical Device Regulations MDR and IVDR
• EU General Data Protection Regulation GDPR
• Digital Healthcare Act (Digitale-Versorgung-Gesetz – DVG) and the DiGAV

Additionally, the standard IEC 81001-5-1 is about to be harmonized.

In the USA, for example, the following are relevant

• Cybersecurity Guidance documents from the FDA
• HIPAA
• Health Breach Notification Rule
• Regulations of the Federal Trade Commission FTC

Another article takes a look at security patches from a regulatory perspective, another at the role of the Software Bill of Materials SBOM.

The thoughts on IT security for legacy devices are helpful.

3. Assistance with implementation

a) Guides

The Johner Institute’s guide to IT security serves as a checklist for manufacturers. The requirements are easy to check because they are organized according to the software life-cycle and formulated as binary answerable criteria.

b) Standards

Many standards claim to formulate best practices. Manufacturers should consider these to ensure IT security aligns with the state of the art.

• IEC 81001-5-1: The to be harmonized standard for secure health software
• ISO 29147: How manufacturers should disclose IT vulnerabilities
• IEC 60601-4-5: The standard for IT security also for standalone software?
• ISO 27001: IT security management for all medical device manufacturers?
• IEC 62443-4-1: IT security as part of the product life cycle
• UL 2900 – Why you should know the IT security standard but never buy it
• ISO/IEC 15408: Evaluating the IT security of (medical) devices

c) Methods

The standards reference methods that contribute to strengthening IT security. These are presented in the following articles:

• Threat modeling – an introduction
• Assessment of vulnerabilities with the Common Vulnerability Scoring System (CVSS)
• Anonymization and pseudonymization of data
• Fuzz Testing: Evaluating the IT security of devices

d) Specific contexts

Other articles address specific technical and organizational contexts:

• Risk management for hospitals and other operators
• IT-networks: Selecting special features for hospitals
• Medical Cloud: Cloud computing in the healthcare sector
• Internet of Things (IoT) in the healthcare sector