IT security (also known as information security) refers to the capability of IT systems (and the associated organizations) to ensure the confidentiality, availability, and integrity of systems and data.

Content

This page provides an overview and links to relevant articles on the following topics:

  1. Objectives of IT security
  2. Regulatory requirements for IT security
  3. Assistance with implementation
  4. Support

1. Objectives of IT security

The acronym CIA makes it easy to remember the objectives of IT security:

  • Confidentiality: Confidentiality of, e.g., personal data
  • Integrity: The integrity of data and systems
  • Availability: The availability of data and systems

Other objectives are sometimes added to this list:

  • Accountability: The capability to attribute activities such as the modification of data and systems to a person
  • Authenticity: The authenticity and trustworthiness of data and systems

Safety plays a vital role in the healthcare sector. Its objective is to avoid (physical) harm to patients, users, and third parties.

2. Regulatory requirements for IT security

Further information

Please note the article on IT security in healthcare, which deals with the special challenges and regulatory requirements for IT security in healthcare and medical technology.

In Europe, the following laws, among others, must be observed:

  • EU Medical Device Regulations MDR and IVDR
  • EU General Data Protection Regulation GDPR
  • Digital Healthcare Act (Digitale-Versorgung-Gesetz – DVG) and the DiGAV

Additionally, the standard IEC 81001-5-1 is about to be harmonized.

In the USA, for example, the following are relevant

Another article takes a look at security patches from a regulatory perspective, another at the role of the Software Bill of Materials SBOM.

The thoughts on IT security for legacy devices are helpful.

3. Assistance with implementation

a) Guides

The Johner Institute’s guide to IT security serves as a checklist for manufacturers. The requirements are easy to check because they are organized according to the software life-cycle and formulated as binary answerable criteria.

b) Standards

Many standards claim to formulate best practices. Manufacturers should consider these to ensure IT security aligns with the state of the art.

  • IEC 81001-5-1: The to be harmonized standard for secure health software
  • ISO 29147: How manufacturers should disclose IT vulnerabilities
  • IEC 60601-4-5: The standard for IT security also for standalone software?
  • ISO 27001: IT security management for all medical device manufacturers?
  • IEC 62443-4-1: IT security as part of the product life cycle
  • UL 2900 – Why you should know the IT security standard but never buy it
  • ISO/IEC 15408: Evaluating the IT security of (medical) devices

c) Methods

The standards reference methods that contribute to strengthening IT security. These are presented in the following articles:

  • Threat modeling – an introduction
  • Assessment of vulnerabilities with the Common Vulnerability Scoring System (CVSS)
  • Anonymization and pseudonymization of data
  • Fuzz Testing: Evaluating the IT security of devices

d) Specific contexts

Other articles address specific technical and organizational contexts:

  • Risk management for hospitals and other operators
  • IT-networks: Selecting special features for hospitals
  • Medical Cloud: Cloud computing in the healthcare sector
  • Internet of Things (IoT) in the healthcare sector

4. Support

Do you still have questions, for example, about IT security? Then, please take advantage of our free micro-consulting.

The Johner Institute will be happy to support you so that you can ensure the IT security of your devices and organization and avoid unnecessary trouble:

  • The IT security seminar provides a solid introduction specifically for medical device manufacturers.
  • The security experts help you design safe medical devices, including threat modeling and risk management.
  • Our experts check IT security, e.g., through penetration and fuzz tests.
  • Our experts check the proof of IT security in technical documentation and approval files for completeness and legal compliance. This avoids unnecessary delays in approvals.

Please do not hesitate to contact us! The Johner Institute team looks forward to helping you!