IT security (also known as information security) refers to the capability of IT systems (and the associated organizations) to ensure the confidentiality, availability, and integrity of systems and data.
Content
This page provides an overview and links to relevant articles on the following topics:
- Objectives of IT security
- Regulatory requirements for IT security
- Assistance with implementation
- Support
1. Objectives of IT security
The acronym CIA makes it easy to remember the objectives of IT security:
- Confidentiality: Confidentiality of, e.g., personal data
- Integrity: The integrity of data and systems
- Availability: The availability of data and systems
Other objectives are sometimes added to this list:
- Accountability: The capability to attribute activities such as the modification of data and systems to a person
- Authenticity: The authenticity and trustworthiness of data and systems
Safety plays a vital role in the healthcare sector. Its objective is to avoid (physical) harm to patients, users, and third parties.
2. Regulatory requirements for IT security
Further information
Please note the article on IT security in healthcare, which deals with the special challenges and regulatory requirements for IT security in healthcare and medical technology.
In Europe, the following laws, among others, must be observed:
- EU Medical Device Regulations MDR and IVDR
- EU General Data Protection Regulation GDPR
- Digital Healthcare Act (Digitale-Versorgung-Gesetz – DVG) and the DiGAV
Additionally, the standard IEC 81001-5-1 is about to be harmonized.
In the USA, for example, the following are relevant
Another article takes a look at security patches from a regulatory perspective, another at the role of the Software Bill of Materials SBOM.
The thoughts on IT security for legacy devices are helpful.
3. Assistance with implementation
a) Guides
The Johner Institute’s guide to IT security serves as a checklist for manufacturers. The requirements are easy to check because they are organized according to the software life-cycle and formulated as binary answerable criteria.
b) Standards
Many standards claim to formulate best practices. Manufacturers should consider these to ensure IT security aligns with the state of the art.
- IEC 81001-5-1: The to be harmonized standard for secure health software
- ISO 29147: How manufacturers should disclose IT vulnerabilities
- IEC 60601-4-5: The standard for IT security also for standalone software?
- ISO 27001: IT security management for all medical device manufacturers?
- IEC 62443-4-1: IT security as part of the product life cycle
- UL 2900 – Why you should know the IT security standard but never buy it
- ISO/IEC 15408: Evaluating the IT security of (medical) devices
c) Methods
The standards reference methods that contribute to strengthening IT security. These are presented in the following articles:
- Threat modeling – an introduction
- Assessment of vulnerabilities with the Common Vulnerability Scoring System (CVSS)
- Anonymization and pseudonymization of data
- Fuzz Testing: Evaluating the IT security of devices
d) Specific contexts
Other articles address specific technical and organizational contexts:
- Risk management for hospitals and other operators
- IT-networks: Selecting special features for hospitals
- Medical Cloud: Cloud computing in the healthcare sector
- Internet of Things (IoT) in the healthcare sector
4. Support
Do you still have questions, for example, about IT security? Then, please take advantage of our free micro-consulting.
The Johner Institute will be happy to support you so that you can ensure the IT security of your devices and organization and avoid unnecessary trouble:
- The IT security seminar provides a solid introduction specifically for medical device manufacturers.
- The security experts help you design safe medical devices, including threat modeling and risk management.
- Our experts check IT security, e.g., through penetration and fuzz tests.
- Our experts check the proof of IT security in technical documentation and approval files for completeness and legal compliance. This avoids unnecessary delays in approvals.
Please do not hesitate to contact us! The Johner Institute team looks forward to helping you!
The EU General Data Protection Regulation must be complied with starting at 25 May 2018, at the latest. Many companies, amongst them also medical device manufacturer and operators such as hospitals, are not adequately prepared. This article gives you a review of the main concepts and requirements of the General Data Protection Regulation and examines…
Details
TIR 57 is a “Technical Information Report” from the American AAMI. It is intended to assist in recognizing and controlling risks due to inadequate IT security of medical devices, thus fulfilling the requirements of ISO 14971 for risk management. TIR 57: Summary for readers in a hurry The AAMI TIR 57 is a guidance document…
Details