E-Health and IT Security: How can digitization in healthcare be made secure?

Interview with Christian Rosenzweig (Johner Institute) – Part 2

Im ersten Teil In our interview, we clarified basic questions about e-health and, based on an impressive personal anecdote, heard how important it is to think about IT security in this context.

Interview with Christian Rosenzweig

Reported in the second half of the interview Christian Rosenzweig from his experience as a consultant for manufacturers of medical devices. His focus is on quality and risk management and regulatory affairs, so he has deep insights into the state of information security in healthcare.

Table of Contents

E-Health: What is the status of information security?

How do you assess the current status: Where is the healthcare system already well positioned in terms of information security? Where do you see the greatest need for optimization?

First of all, this varies greatly from region to region. In Germany we have an enormous amount of catching up to do when it comes to IT security, especially in the healthcare sector. And unfortunately it is currently standing on the highest positions of the attack targets.

Medical device manufacturers and healthcare providers are currently dealing with the topic very differently. While some IT security for chefsache have explained, others are not even aware of it.

The legislature is therefore currently driving the legal requirements high in all areas. This is where the shortage of skilled workers strikes. Other industries have long since stocked up on the available experts, which is why the market for them is sparsely populated.

The good news: Those responsible in the healthcare sector are now increasingly recognizing the failures of recent years in terms of IT security and are taking action.

Interview with Christian Rosenzweig

Christian Rosenzweig

John Institute

Would you like to be up to date when it comes to IT security?
Use our free knowledge platform of leading experts
To the knowledge base

Challenges in the integration of IT security in the field of e-health

They deal in particular with risk management for medical devices. What are the special challenges here when integrating information security?

The regulatory framework for medical devices has now clearly made IT security mandatory via the European Medical Devices Regulation of 2017. We also see something similar internationally in other markets.

an accurate description, what is meant by IT security, but remained guilty of the law. That's why many manufacturers first tried to familiarize themselves with it and got lost in the details. There is now an international standard tailored to the medical device market, which legislators intend to officially recognize next year. This finally clearly describes how medical device manufacturers approach the topic IT security in the life cycle process of the product have to implement.

The crux of the matter is that IT security cannot be "tested" into the product at the end of development, but the activities for this must be implemented early and step by step in the development process. This procedure is referred to as "security by design".
Interview with Christian Rosenzweig
Christian Rosenzweig
Consultant for medical device manufacturers at the Johner Institute

The final penetration test confirms (hopefully) that the early efforts were successful and that the product is sufficiently IT-secure. Security aspects are also included that cannot yet be checked in the development process - for example the human factor (social engineering) and physical security. Therefore, the final penetration test is an important instrument for the legislator.

This shifts necessary activities to the medical device operator, e.g. B. the hospitals. You receive products that are virtually IT-secure ex works (“Security by default"). A very important requirement for safe operation.

The topic of data protection and data confidentiality can be taken into account in the same way (“privacy by design" and "privacy by default").

However, the prerequisite is that the medical device manufacturer deals intensively with the topic, which is not always easy due to the shortage of skilled workers. That's why I often advise my customers at this point Involvement of external experts and service providers with a lot of experience in the field.

What role do penetration tests play in e-health?

What is the added value of penetration tests?

How can penetration tests like ProSec support the safe development of medical devices?

At the end of the development process, legislators require proof that the product is safe in its application environment. Basically, that boils down to the question "Is the product still vulnerable from the outside?" The method for answering this question is a "penetration test" in which extremely experienced IT security experts use all their knowledge to compromise the system. The legislature requires that this activity only independent can be done by your own development team. For small and medium-sized medical device manufacturers, this means they have to outsource the tests and have them carried out by a service provider.

Apart from these regulatory requirements, I recommend my medical device manufacturers to do this early on in the development phase accompanying penetration tests (to a lesser extent than the final test). Formatively, this creates real added value in the development process. In this way, manufacturers can identify weak points at an early stage, take them into account in risk management and adapt the architecture accordingly. In this way, you do not have to jump back to the beginning at the end (after the final pentest) and save resources.

The difficulty is that such service providers exist in large numbers.

How do I recognize a good penetration test service provider?

With this large number, how can medical device manufacturers be sure to select the right service provider for a penetration test? What quality features do you give the manufacturers you advise? 

The quality of the performance is definitely very different. I often experience that a medical device manufacturer proudly shows its penetration test certificate, which, on closer inspection, turns out to be a report from a standard tool. This is where the wheat separates from the chaff: While such tools only enable an automated test run, providers of high-quality penetration tests have experts who intensively check all attack vectors of the product.

With a good penetration test, I know as a manufacturer: The attempt to hack the product takes place at the same level as malicious hackers work.

Automated standard tests, on the other hand, are neither recognized when a medical device is approved, nor do they reliably detect all remaining weak points.
Interview with Christian Rosenzweig
Christian Rosenzweig
Consultant for medical device manufacturers at the Johner Institute

Can you use an example to explain why such an automatic security test using tools cannot cover all important security aspects?

For example, professional penetration testers know where middleware caches session cookies. If you specifically start at such a point and intercept the session cookie, you can continue working with it. Such intelligences do not have the appropriate tools. Automated tests work more with brute force attacks or SQL injections, but do not include complex attack scenarios.

Penetration testing is a highly creative work that requires imagination to individually combine various complex attack scenarios. Tools can't do that.

At the Johner Institute, we carry out penetration tests ourselves using our own experts, but in the event of capacity bottlenecks we turn to ProSec, which has proven to be an extremely reliable partner. In particular, manufacturers of critical products and systems with high demands on IT security benefit from this.

Is it worth investing in a good penetration test?

We've discussed the benefits of penetration testing in detail. Do you have a message for clinic managers or medical device manufacturers who are reluctant to make this investment for cost reasons?

Hospitals in particular often struggle with budget problems and therefore avoid investments in IT security. The massive impact of successful ransomware attacks on clinics shows that this is an understandable but dangerous calculation.

If you want to keep your business going at all with the current number of ransomware attacks, you can't avoid securing your system.
Interview with Christian Rosenzweig
Christian Rosenzweig
Consultant for medical device manufacturers at the Johner Institute

Thank you very much for this informative interview and the insights into your experience with medical device manufacturers!

Is your medical device safe?
Check its fitness in terms of IT security and use it to protect yourself and the users.
For the penetration test

Table of Contents