Lately, there's been a growing amount of bad news regarding the intrusion of information technology (IT) into hospitals and medical devices. After servers, routers, and cars, an anesthesia machine was also hacked. And it's not surprising that hospital staff would open an email with the subject "Virus Warning," especially given the need for hygiene in hospitals.
It appears as if these are isolated cases. There's a medical device manufacturer that clearly wasn't paying attention. There's a hospital that doesn't have its IT landscape under control and has no backups, so a so-called encryption Trojan paralyzes the entire hospital for several days. On the sidelines, of course, there are calls for more controls, more laws, or regulations. Very few people are aware that these already exist, but are rarely enforced. Long before the federal government passed the IT Security Act in July 2015, many requirements for IT networks containing medical devices were defined.
DIN EN 80001-1, which deals intensively with this topic, has been in existence since 2011. The Medical Devices Act (MPG), the risk management standard DIN EN 14971, the standard for medical electrical devices DIN EN 60601-1 and medical device software DIN EN 62304, and DIN EN 61907 on communication networks also provide more than enough information on networked medical devices and what needs to be considered. DIN EN 80001-1 examines three important protection goals when networking: safety, data and system security, and effectiveness. It's not just about ensuring that the device is not vulnerable to external attacks. It also focuses on how operators are prepared in the event of a network failure. And that can be something as trivial as a network printer failure. (In this case, providing a USB cable for directly connecting the PC and printer is usually sufficient as a remedial measure.)
The challenges, on the other hand, lie in the details. Anyone who tries to create a list of all the devices connected to the network at home (including operating system, IP address, MAC address, open ports, etc.) will be amazed at the sheer number of devices. There's the router, the computer, a laptop, a tablet, the television, the Blu-ray player, the iPod, the printer, a network storage device, etc. If you imagine how many products are in a hospital, you can imagine the magnitude of the task. The next step is to create a network plan according to the standard, i.e., how the devices are connected, where switches, firewalls, etc. are positioned. You quickly realize that it might not make sense to have the MRI on the same network as the ECG monitor. And the multimedia system at the bedside is on the same network as the ward PC...
Although the risk is high, little has been done in this area so far. There are currently few auditors, and therefore few who prepare for audits. But just like at home, operators should give their IT networks some thought – especially when human lives and significant economic losses depend on them.