Skip to main content
DSI Industrial & Policy Recommendations Series (IPR)

Recommendations for safety and IT security in medical devices

DSI Industrial & Policy Recommendations Series (IPR) 2017 (6)
Health and environment; Information technology and systems; Technology, R&D management
IT security, cybersecurity, e-health, IoT, safety, medical devices
The healthcare industry is undergoing great technological transformations. Hospitals are going digital and medical devices – whether implanted in patients’ bodies or stationed in hospitals – are equipped with increasing computing power and wireless connectivity. Connected healthcare can offer safer, more efficient, and timely medical service delivery. It also presents great economic opportunities – according to a Roland Berger consultancy firm study, the digital healthcare market is set to grow at average annual growth rates of 21 percent until 2020. Yet, the integration of computing and communication technologies in safety-critical medical systems will expose them to the same network and information security (cyber security) threats as other information technology (IT) systems. Research and real-world incidents have shown that IT security risks in healthcare are systemic. Cyber attacks’ impact on the privacy of patient data has already been established. More recently, their potential impact on patient health and safety has been raising concerns for healthcare organizations, regulators, and medical device manufacturers alike. The management and governance of related risks requires comprehensive standardization, regulation, and best practices to encompass both IT security and safety. DSI has analyzed the convergence of safety and security risks in healthcare and the Internet of Things through a review of the relevant literature, as well as expert interviews and a workshop with representatives from health organizations, medical device manufacturers, IT security experts, safety engineers, regulators, and certification bodies. On this basis, DSI has developed recommendations for policy and industry, which are presented by this paper after a short analysis of the current status of security in connected healthcare.