WiFi Sensing: How intelligence services monitor you – and how pentesters use the method to your advantage WiFi Sensing has
Interview with Christian Rosenzweig (Johner Institute) – Part 2
Im ersten Teil In our interview, we clarified basic questions about e-health and, based on an impressive personal anecdote, heard how important it is to think about IT security in this context.
Reported in the second half of the interview Christian Rosenzweig from his experience as a consultant for manufacturers of medical devices. His focus is on quality and risk management and regulatory affairs, so he has deep insights into the state of information security in healthcare.
How do you assess the current status: Where is the healthcare system already well positioned in terms of information security? Where do you see the greatest need for optimization?
First of all, this varies greatly from region to region. In Germany we have an enormous amount of catching up to do when it comes to IT security, especially in the healthcare sector. And unfortunately it is currently standing on the highest positions of the attack targets.
Medical device manufacturers and healthcare providers are currently dealing with the topic very differently. While some IT security for chefsache have explained, others are not even aware of it.
The legislature is therefore currently driving the legal requirements high in all areas. This is where the shortage of skilled workers strikes. Other industries have long since stocked up on the available experts, which is why the market for them is sparsely populated.
The good news: Those responsible in the healthcare sector are now increasingly recognizing the failures of recent years in terms of IT security and are taking action.
They deal in particular with risk management for medical devices. What are the special challenges here when integrating information security?
The regulatory framework for medical devices has now clearly made IT security mandatory via the European Medical Devices Regulation of 2017. We also see something similar internationally in other markets.
an accurate description, what is meant by IT security, but remained guilty of the law. That's why many manufacturers first tried to familiarize themselves with it and got lost in the details. There is now an international standard tailored to the medical device market, which legislators intend to officially recognize next year. This finally clearly describes how medical device manufacturers approach the topic IT security in the life cycle process of the product have to implement.
The final penetration test confirms (hopefully) that the early efforts were successful and that the product is sufficiently IT-secure. Security aspects are also included that cannot yet be checked in the development process - for example the human factor (social engineering) and physical security. Therefore, the final penetration test is an important instrument for the legislator.
This shifts necessary activities to the medical device operator, e.g. B. the hospitals. You receive products that are virtually IT-secure ex works (“Security by default"). A very important requirement for safe operation.
The topic of data protection and data confidentiality can be taken into account in the same way (“privacy by design" and "privacy by default").
However, the prerequisite is that the medical device manufacturer deals intensively with the topic, which is not always easy due to the shortage of skilled workers. That's why I often advise my customers at this point Involvement of external experts and service providers with a lot of experience in the field.
How can penetration tests like ProSec support the safe development of medical devices?
At the end of the development process, legislators require proof that the product is safe in its application environment. Basically, that boils down to the question "Is the product still vulnerable from the outside?" The method for answering this question is a "penetration test" in which extremely experienced IT security experts use all their knowledge to compromise the system. The legislature requires that this activity only independent can be done by your own development team. For small and medium-sized medical device manufacturers, this means they have to outsource the tests and have them carried out by a service provider.
Apart from these regulatory requirements, I recommend my medical device manufacturers to do this early on in the development phase accompanying penetration tests (to a lesser extent than the final test). Formatively, this creates real added value in the development process. In this way, manufacturers can identify weak points at an early stage, take them into account in risk management and adapt the architecture accordingly. In this way, you do not have to jump back to the beginning at the end (after the final pentest) and save resources.
The difficulty is that such service providers exist in large numbers.
With this large number, how can medical device manufacturers be sure to select the right service provider for a penetration test? What quality features do you give the manufacturers you advise?
The quality of the performance is definitely very different. I often experience that a medical device manufacturer proudly shows its penetration test certificate, which, on closer inspection, turns out to be a report from a standard tool. This is where the wheat separates from the chaff: While such tools only enable an automated test run, providers of high-quality penetration tests have experts who intensively check all attack vectors of the product.
Can you use an example to explain why such an automatic security test using tools cannot cover all important security aspects?
For example, professional penetration testers know where middleware caches session cookies. If you specifically start at such a point and intercept the session cookie, you can continue working with it. Such intelligences do not have the appropriate tools. Automated tests work more with brute force attacks or SQL injections, but do not include complex attack scenarios.
Penetration testing is a highly creative work that requires imagination to individually combine various complex attack scenarios. Tools can't do that.
At the Johner Institute, we carry out penetration tests ourselves using our own experts, but in the event of capacity bottlenecks we turn to ProSec, which has proven to be an extremely reliable partner. In particular, manufacturers of critical products and systems with high demands on IT security benefit from this.
We've discussed the benefits of penetration testing in detail. Do you have a message for clinic managers or medical device manufacturers who are reluctant to make this investment for cost reasons?
Hospitals in particular often struggle with budget problems and therefore avoid investments in IT security. The massive impact of successful ransomware attacks on clinics shows that this is an understandable but dangerous calculation.
Thank you very much for this informative interview and the insights into your experience with medical device manufacturers!
WiFi Sensing: How intelligence services monitor you – and how pentesters use the method to your advantage WiFi Sensing has
Critical vulnerability at Palo Alto Networks: Patches and CISA warnings The latest serious security vulnerability in Palo Alto Networks products has
Chinese hackers use T-Mobile and other US telecommunications systems for larger espionage campaign The giant US telecommunications company T-Mobile has confirmed that it is one of the
We use cookies, and Google reCAPTCHA, which loads Google Fonts and communicates with Google servers. By continuing to use our website, you agree to the use of cookies and our privacy policy.