3
min reading time
Cybersecurity professionals have been alarming the healthcare industry about the threat of exploitation of smart healthcare devices and the doctors’ over-dependence on them until sadly, their warnings became reality, and a person lost her life in a ransomware attack in a German hospital last year.
How the ransomware paralyzed the Duesseldorf University Hospital?
According to the official reports, the internal system of the hospital crashed gradually. First, the hospital staff couldn’t access the data of the hospitalized, then, they got to a point where they couldn’t even perform life-saving operations due to the lack of necessary data and the availability of smart equipment.
Additionally, readers could follow the unfortunate events of the WannaCry cyberattack in 2017 via media, which shut down major healthcare systems, like the NHS in the United Kingdom. Luckily no deaths occurred due to the attack, though it drew the attention of healthcare professionals and smart device creators to the main underlying issue.
Are we threatened by the cybersecurity issues of healthcare devices in any other way?
From patient records and lab results, radiology equipment, hospital elevators to personal wearable tracking devices and mobile applications, healthcare professionals, and individual tech users are increasingly reliant on smart devices that are connected to the Internet. Even though this interdependence facilitates easy data access, data sharing, or user/patient engagement, it contains the risk of data theft, malicious data alteration, denial of access to crucial data, or blackmailing.
In early 2019, researchers in Israel announced that they’ve created a virus that is capable of adding malicious tumors into CT and MRI scans, which proves to be a powerful weapon in order to trick doctors into misdiagnosing their patients.
Talking about wearable tracking devices and applications: they also pose a growing security risk, as their measurement system and statistics become more subtle and real-time. Sadly, these devices are not an exception to vulnerability exploitations. “When you’re looking at the ‘brain’ of one of these devices, if the software isn’t designed to protect itself and it’s not designed without design flaws and without vulnerabilities and implementation bugs in it — which we’ve seen — then it will be attacked,” said Gary McGraw, CTO of software firm Cigital.
How can we avoid such cybersecurity exploitations?
In the healthcare sector, two new regulations have been passed on 25 May 2017, which introduce new safety regulations for medical devices within the EU. As a result, manufacturers can keep building revolutionary, state-of-the-art smart devices, although they will need to abide by the new principles of risk management.
Common Criteria Evaluation is an international standard for computer security certification. By thoroughly evaluating the manufactured devices, let them be healthcare smart tools, or anything else, we can make sure they comply with international regulations, and most importantly, they are built with cybersecurity in mind.
At CCLab, apart from Common Criteria Evaluation, we provide cybersecurity consultation, penetration testing, cybersecurity relevant risk management services and support the security of your product lifecycle management and information security management processes, in order for your medical devices to fulfill the expectations of professionals, and private individuals alike, who are cautious about their personal data.
Want to understand the MDR, IVDR regulation? Download our e-book on the latest requirements of medical cybersecurity
Read and learn more about the Radio Equipment Directive (RED), download our free material now.
Download our ETSI EN 303 635 infographics today and learn about the product certification process for this consumer IoT device cybersecurity standard.
The new Common Criteria Scheme, called the European Cybersecurity Certification Scheme (EUCC), is essential for harmonizing high-security cybersecurity certification of ICT products across EU member states. It facilitates mutual recognition of certifications, supports innovation, and ensures compliance with legal requirements. Fully effective from February 2025, the EUCC aims to provide a unified and robust framework for evaluating IT products, boosting consumer trust, and fostering a more secure digital environment.
10
min reading time
Common Criteria (CC) is a globally recognized standard for evaluating and certifying the security features of eligible Information Technology (IT) products. Established through collaboration between multiple nations, CC provides a unified framework for assessing and comparing the security capabilities of IT solutions. This standardization ensures that products meet predefined security requirements, enhance consumer trust, and facilitate access to international markets.
9
min reading time
In cybersecurity, the Common Criteria (CC) is a cornerstone that provides a standardized framework for evaluating the security capabilities of eligible IT products. It is a vital tool for manufacturers seeking to assess the effectiveness and reliability of security solutions in the face of evolving threats. However, as technology advances at an unprecedented pace, the challenges faced by IT security professionals continue to grow. The new version of the CC (CC:2022 Revision 1) was published in November 2022.
9
min reading time