Market characteristics

Healthcare meets cybersecurity

Characteristics of the market (medical devices)

From a European perspective, it's important to realize that the "medical device" market is organized around many smaller players, and big US players.

• 20.000 vendors worldwide, 80% SME (including 1.100 in France)

• 90% of the volumes are generated by 30 vendors

  • France : Essilor, Biomérieux

  • Germany : Siemens, B Braun, Fresenius, Paul Hartmann, Roche Diagnostic, Alcon

  • US : 19 vendors out of 30

Medical devices are classified according to their impact on patient safety:

• Class I: non-invasive (stay outside the human body) or non-surgical invasive devices temporary. Example: compresses, crutches or infusers.

• Class IIa: non-invasive devices in contact with blood, body fluids, organs or skin injured or non-surgical invasive short-term use. Example: contact lenses or gloves sterile surgical procedures.

• Class IIb: non-invasive devices in contact with damaged skin in the event of destruction of the dermis or devices surgical invasives intended for long use. Example: blood bags, staples, a generator of dialysis or a contraceptive device.

• Class III: invasive surgical devices, made from tissue of animal origin, incorporating a substance active or implantable device. Example: vascular prostheses, heart valve.

The certification process is configured accordingly:

Class I: no control, self-certification by the manufacturer.
Class IIa: production control.
Class IIb: production control and quality assurance monitoring.
Class III: design and manufacturing control, logistics monitoring, quality assurance and validation by
clinical tests

It's harder to assess the specificities of the "connected medical devices". We can observe that electrical equipement manufacturers are also developing in that area (ex: Philips). BSI has recently published the results from its ecare study.

From field interviews, we could gather a few additional metrics :

• a radiologist deals with 50000 images / day, automation is a requirement

• an average of 10-15 sensors per connected bed

What do we mean by connected medical device ?

Therefore cybersecurity becomes a big concern for medical organizations. Attacks have already occured and even led to catastrophic consequences for patients.

Personas

Healthcare organisations

In healthcare organisations, there are 2 main jobs that are directly involved into the security of connected medical devices:

• "Chief information security officer - CISO" (in charge of cyber security)

• networking specialist may define network segmentations to mitigate some of the risks (especially for older devices that can't be removed or upgraded)

• biomedical engineer (in charge of medical devices) - example in France afib

Often we've seen silo-ed approach between traditional information systems (IT) and connected devices (IoT).

Vendors

Vendors need to address both product innovation and cybersecurity. In implementing a program to manage cybersecurity risks, manufacturers should, among other things, have a way to monitor and detect cybersecurity vulnerabilities in their devices; establish a process for working with researchers and other stakeholders to get information about potential vulnerabilities ("coordinated vulnerability disclosure policy"); and deploy mitigations (e.g., software patches) to address issues early, before they can be exploited and cause harm.

This may involve many different job functions:

• a CISO may coordinate the efforts

• the product manager should have a minimal understanding of how to deal with the cybersecurity of devices that will be deployed

• hardware and software technical teams need to design with cybersecurity in mind (and have time for that)