Risk-Oriented Cybersecurity for Medical Devices
Medical devices and services currently converge by means of connectivity. New connectivity services allow distributing functions not only across different devices and IT systems, but also to cloud services. Over-the-air software upgrades permit flexible enhancements of existing embedded systems and thus adjusting performance features as well as providing software upgrades for defect corrections and new functionality. Very fast, classic medical IT and embedded medical devices are converging to multi-purpose systems. With fast growing connectivity and the need to cope with functional safety, cybersecurity has gained huge relevance in short time-frame. Often protocol stacks are rather open to facilitate flexibility, but thus create security risks. Decent security analysis and security concepts are necessary to protect each step of the development life-cycle. This article introduces the risk-oriented medical cybersecurity. We start with a combined security and safety life-cycle for medical products and services, built upon Medical SPICE. Starting with a connected TARA (threat and Risk Analysis) and HARA (Hazard and Risk analysis) we converge to security requirements to harden safety requirements, and thus provide best practices on security engineering. With verification and validation, we investigate static code analysis but also towards specific testing such as fuzzing and penetration testing for medical devices. We show hands-on examples on basis of the COMPASS SecurityCheck and directly connected grey-box PenTesting. The presentation provides hands-on examples and introduces to a hands-on TARA and related PenTest activity.
Was lernen die Zuhörer in dem Vortrag?
- Risk-oriented Security Engineering best practices
- Security Check
- Connecting TARA and HARA for converged systems
- Grey-Box PenTesting
Safety & Security
Entwickler, IT, Produktmanagement, Projektmanagement, Qualität, Zulassung