Interviews

In person interviews

Informal discussions

We participated in several conferences, including the cyber days in Rennes. Some of those participants later also were included in our panel study.

Qualitative study

Due to the limited resources information available online, we directly interviewed healthcare professionals (CISO/IT and biomedical engineers in hospitals, as well as a few medical practitioners) and solution vendors. 20 interviews were done, most interviews lasted 1 hour.

We had defined a semi directed questionnaire (one for healthcare professionals, one for vendors). Our objective was to define high-level use cases (detailed in the "use cases" section).

Part 1: Global issues

  • What is your position?

  • Do you have an CISO?

  • From 1 to 10, how do you rate the security of your connected devices? Why?

Part 2: Security posture

  • How secure do you think your patients' medical data is?

  • How much do you think you respect GDPR (General Data Protection Regulation) (on a scale of 1 to 10)

  • Are you using a cloud platform? If so, do you know where your data is stored?

  • Do you think that the medical staff are sufficiently trained in cybersecurity issues?

  • Does it receive training? If so, to what frequency (when new equipment appears, every X months, occasionally, never)

  • Is access to the hospital's network limited and strictly controlled?

  • Is the addition of new connected medical equipment verified ? I

  • s there a specific network for medical devices?

  • As a member of the IT team, are you involved upstream in the purchase of new medical materials?

  • Do you assess the security policy of your suppliers?

  • When buying a new product or acquiring a new application, do you systematically carry out security ?

  • Do you have a medical device safety monitoring process?

  • Do you have an update process for your connected devices?

  • Do you have a continuity plan in the event of a malfunction of a connected medical device essential to overall operation of the hospital?

  • Is the role of the supplier of the connected medical device defined in this case?

  • Have you ever found yourself in one of these situations for one of your connected devices:

    • disclosure of information

    • denial of service (service not available)

    • falsification of data

    • identity theft

    • privilege escalation (unauthorized user accessing administrative rights)

    • repudiation (authenticity of the parties not verified during an exchange or a transaction)

    • Is access to your connected equipment limited to certain people?

    • Are all of your connected medical devices likely to contain data secured by authorizations?

Part 3: Regulations

Recently, the European Union has defined new cybersecurity regulations in the medical field (Cybersecurity Act in particular). Are you aware of these new regulations? If so, has this had an impact on your business?

Part 4: Support in cybersecurity

  • Do you use external cyber services, for instance threat management for hospitals or suppliers of connected objects.

  • Have you ever called on service providers for the safety diagnosis of your medical equipment (scale from 1 to 10)? If so, can you tell us which ones? Do you have any other comments or recommendations for us?

No-code prototyping

That part focused only on connected medical devices.

We also used figma to prototype and deepen the interactions. In particular, we wanted to discuss what how hospitals and vendors could cooperate better. A major need that we discovered is that remote updates can be provided by the device vendor, but needs to take into account the schedule of the hospital teams.

We didn't implement that front-end, since our medIAM project work items is about the underlying protocols, but it helped us define the requirements.

We gathered feedback from:

  • IT/CISO teams : they were the least interested in general, because they considered that biomedical devices are out of their perimeter.

  • biomedical engineers : they explained that this type of software was responding very clearly a need and showed great interest, and improvement ideas that we took into consideration. They told us that it was impossible to have access to the information of connected objects in real time because the information systems teams within hospital would certainly disagree on the security level (implemented through network segmentation)

  • vendors (Philips): our contact seemed very interested in this offer. He told us that in his company, he already had this type of software (which bears the name of "Focal Point") and that their customers were very satisfied. However, customers regret that FocalPoint does not is not compatible with all suppliers. “This type of solution, we hit the nail on the head”.

Detailed conversations can be made available on demand.

PreviousMarket characteristicsNextUse cases

Last updated