Periodic Reporting for period 1 - NEMECYS (NEw MEdical CYbersecurity assessment and design Solutions)
Período documentado: 2023-01-01 hasta 2024-06-30
Cybersecurity of connected medical devices and in-vitro diagnostic devices connected to the internet (together, CMDs) faces several critical challenges that introduce risk, incur cost or impair the key medical purpose of delivering care. Firstly, the guidelines and standards for Medical Device (MD) cybersecurity are complex, too generic, and incomplete - due to the changing landscape of cyber threats, and also due to the need to integrate CMDs in ever more advanced, multi-institution and multi-device scenarios to deliver more effective and efficient patient care where and when it is most needed. Secondly, cybersecurity comes at a cost – it is financially costly to implement and maintain, and too much cybersecurity can impair other critical concerns such as the clinical care of the patient or ethics representing citizen rights. Thirdly, the lifecycle of the devices themselves is complex: CMDs need to be independently cybersecure, but additional threats and compromises may arise when they are connected in scenarios, and threats can be propagated from other connected devices that may have vulnerabilities unknown to the device manufacturer.
The NEMECYS project is addressing these challenges via three integrated approaches:
1) We are reviewing relevant MD guidelines, such as the Medical Device Coordination Group (MDCG) 2019-16, with the objective of providing recommendations for improvement. In consultation with domain experts, we are also utilising our four exemplary case studies to identify gaps, recommendations to address them, and best practice. We will synthesise the results and feed them back to the relevant communities.
2) We are investigating proportionate risk-benefit schemes. We will extend existing state of the art background cybersecurity risk assessment work of the partners to accommodate connected medical device situations where cybersecurity risks of connected and in vitro medical devices are balanced with ethical concerns and clinical benefit to determine proportionate actions based on considerations of vulnerability, patient benefit and rights.
3) We are developing tools and toolboxes targeted at three user types that reflect the lifecycle of CMDs: At design time (supporting CMD Manufacturers), during integration into connected multi-stakeholder scenarios (supporting CMD System Integrators) and in the operation of these scenarios (supporting Operators such as hospitals or care providers).
The NEMECYS work is driven by its stakeholder needs, and will be validated by four different case studies, including relevant connected medical device and in vitro device scenarios. The case studies are:
* The bioimpedance measurement patch developed by project partner Mode Sensors (Norway).
* A wearable medical device for continuous monitoring of movement disorders, such as Parkinson’s disease, developed by project partner PD Neurotechnology (UK).
* The development and use of a Class IIb mobile phone application capable of connecting to other medical devices and to a remote server, designed by project partner Debiotech (Switzerland).
* The use of self-tests with in-vitro-diagnostic (IVD) medical devices, provided by Ospedale San Raffaele S.r.l. (Italy).
The results from the project will help practitioners to comply with relevant regulations, to apply proportionate cybersecurity for their CMDs (too little security risks exposure, too much is costly and can obstruct clinical care) and to build in "cybersecurity by design" for their devices and the connected scenarios they operate in.
The NEMECYS project is addressing these challenges via three integrated approaches:
1) We are reviewing relevant MD guidelines, such as the Medical Device Coordination Group (MDCG) 2019-16, with the objective of providing recommendations for improvement. In consultation with domain experts, we are also utilising our four exemplary case studies to identify gaps, recommendations to address them, and best practice. We will synthesise the results and feed them back to the relevant communities.
2) We are investigating proportionate risk-benefit schemes. We will extend existing state of the art background cybersecurity risk assessment work of the partners to accommodate connected medical device situations where cybersecurity risks of connected and in vitro medical devices are balanced with ethical concerns and clinical benefit to determine proportionate actions based on considerations of vulnerability, patient benefit and rights.
3) We are developing tools and toolboxes targeted at three user types that reflect the lifecycle of CMDs: At design time (supporting CMD Manufacturers), during integration into connected multi-stakeholder scenarios (supporting CMD System Integrators) and in the operation of these scenarios (supporting Operators such as hospitals or care providers).
The NEMECYS work is driven by its stakeholder needs, and will be validated by four different case studies, including relevant connected medical device and in vitro device scenarios. The case studies are:
* The bioimpedance measurement patch developed by project partner Mode Sensors (Norway).
* A wearable medical device for continuous monitoring of movement disorders, such as Parkinson’s disease, developed by project partner PD Neurotechnology (UK).
* The development and use of a Class IIb mobile phone application capable of connecting to other medical devices and to a remote server, designed by project partner Debiotech (Switzerland).
* The use of self-tests with in-vitro-diagnostic (IVD) medical devices, provided by Ospedale San Raffaele S.r.l. (Italy).
The results from the project will help practitioners to comply with relevant regulations, to apply proportionate cybersecurity for their CMDs (too little security risks exposure, too much is costly and can obstruct clinical care) and to build in "cybersecurity by design" for their devices and the connected scenarios they operate in.
The technical and scientific part of the work performed have been done in the context of four technical work packages.
In WP1, the main achievements are
• A comprehensive review of existing regulations, guidelines, best practices, and standards.
• A series of stakeholder engagement activities to identify current practices, challenges and barriers, and needs and expectations.
• Identification of gaps in the MDCG guidelines, and initial recommendations for improvement.
In WP2, the main achievements are
• A model for identifying indicators of cyber security risk.
• A detailed analysis of the project’s four case studies, including models of relevant cyber security risks.
• Extended the knowledge base of the one of the risk assessment tools, to bridge the gap between cybersecurity of medical devices and patient harms.
• Developed and demonstrated a privacy compromise detection machine learning tool.
In WP3, the main achievements are
• A review of existing security solutions relevant for CMDs.
• Identification of cyber-security challenges faced by CMD stakeholders.
• Requirements for tools and toolboxes for cyber-secure development, integration and operation of CMDs.
• An initial set of tools and toolboxes.
In WP4, the main achievements are
• An initial analysis and documentation of the project's four case studies.
• A traceability matrix mapping the MDCG guidelines to the project's tools.
• Preparing our two pilots, by mapping our tools to our case studies.
In WP1, the main achievements are
• A comprehensive review of existing regulations, guidelines, best practices, and standards.
• A series of stakeholder engagement activities to identify current practices, challenges and barriers, and needs and expectations.
• Identification of gaps in the MDCG guidelines, and initial recommendations for improvement.
In WP2, the main achievements are
• A model for identifying indicators of cyber security risk.
• A detailed analysis of the project’s four case studies, including models of relevant cyber security risks.
• Extended the knowledge base of the one of the risk assessment tools, to bridge the gap between cybersecurity of medical devices and patient harms.
• Developed and demonstrated a privacy compromise detection machine learning tool.
In WP3, the main achievements are
• A review of existing security solutions relevant for CMDs.
• Identification of cyber-security challenges faced by CMD stakeholders.
• Requirements for tools and toolboxes for cyber-secure development, integration and operation of CMDs.
• An initial set of tools and toolboxes.
In WP4, the main achievements are
• An initial analysis and documentation of the project's four case studies.
• A traceability matrix mapping the MDCG guidelines to the project's tools.
• Preparing our two pilots, by mapping our tools to our case studies.
The main results from the NEMECYS projects at this point in time are 10 key results:
* Our nine tools for cyber-secure development, integration and operation of CMDs, which are currently being developed:
* A method for identifying risk indicators in the environments that the CMDs operate in.
The impact achieved so far is both scientific, delivered as open access scientific papers, and economical/technological, enabled by stakeholder engagement workshops that we have been arranged.
* Our nine tools for cyber-secure development, integration and operation of CMDs, which are currently being developed:
* A method for identifying risk indicators in the environments that the CMDs operate in.
The impact achieved so far is both scientific, delivered as open access scientific papers, and economical/technological, enabled by stakeholder engagement workshops that we have been arranged.