Advancing Cybersecurity: Insights from the 8th EU Conference on Medical Devices and Diagnostics

Last week, I represented IAR at the 8th Annual European Medical Device and Diagnostic Cybersecurity Conference in Berlin, with Dr. Marc Thomas, Embedded Security Expert. This pivotal event brought together global leaders from healthcare, cybersecurity, and regulatory bodies to tackle the urgency of protecting medical technologies against cyber threats. We shared strategies on innovation to protect patient safety, data privacy, and healthcare infrastructure in a digital ecosystem. Many thanks to TT Lifesciences for the organization and to all attendees for insightful discussions!

Cybersecurity is more than a technical challenge

We discussed how integrating Security by Design into medical device development is not just best practice: it's essential. Regulatory compliance isn't a box-ticking exercise; it serves a vital purpose: to protect patients, users, companies, and the European society as a whole.

•  It is a matter of life or death: The studies found that when ransomware attacks occur in hospitals, mortality increase by 35 to 41% among patients. In critical moments, we count on technologies like infusion pumps and respiratory devices to function reliably. When our loved ones are vulnerable, failure is not an option.
• Financial and legal risk are real: Manufacturers can face personal and financial liability in the event of a security breach, including fines of up to 2.5% of global revenue or even prison. Top-down strategies must be implemented, as the Board of Directors is fully accountable for protecting the end-user.
• Reputation is an asset: Security isn’t a time-consuming box-ticking exercise, it’s the foundation of stakeholder trust. In a competitive market, credibility and user confidence are built on secure, dependable technologies.

Understanding the regulatory landscape: IEC 81001-5-1 and beyond

IEC 81001-5-1 (Health software and health IT systems safety, effectiveness and security) is a state-of-the-art guideline for cybersecurity requirements in health software, and it's increasingly being referenced in global regulations. While currently voluntary, it is expected to become mandatory under the upcoming CRA (Cyber Resilience Act 2024/2847), embedding cybersecurity as a key element of clinical safety alongside existing frameworks like MDR (Medical Device Regulation EU 2017/745) and IVDR (In Vitro Diagnostic Medical Device Regulation EU 2017/746). Together with IEC 62304 (software lifecycle safety) and ISO 14971 (risk management), it forms the foundation for compliance with ISO 13485 (the standard for Quality Management Systems in medical devices).

The path to secure development: a practical guide for embedded teams

For many manufacturers, addressing cybersecurity feels like facing a dauting mountain. But those who take the right path from the start can avoid blocked trails, costly detours, and exhausting backtracking. In fact, those who reach the summit first, by bringing secure and compliant devices to market early, will enjoy a clear competitive advantage.

So, where does this journey begin?

 1. Map the route: Risk assessment at base camp

Before you begin your ascent, gather your team at base camp to chart the risks ahead. Using threat modeling tools like STRIDE, DREAD, or PASTA, identify potential vulnerabilities, assess their impact, and define your cybersecurity priorities. This strategic map ensures your climb is well-prepared and focused from day one.

 2. Gear up : Select the right tools early

Choosing the right processor and development tools at the concept phase is like selecting the perfect hiking boots: if they fit, you’ll climb farther and faster with confidence. A processor with built-in secure memory areas (like ARM® TrustZone®) combined with an immutable SBM (Secure Boot Manager) provides a Root of Trust, establishing a secure foundation from the very first boot operation. This ensures device integrity protection throughout its lifecycle. Pick poorly, and you’ll face painful missteps, costly delays, and might even be forced to turn back and start over.

 3. Safety ropes for the climb : Build an unique security context

During the design phase, secure your development with essentials like secure boot, device authentication to validate your secured Firmware prototype. Think of these as your safety ropes and harnesses. Complement them with static and dynamic code reviews to avoid security gaps that hackers could exploit.

 4. Safeguard the Climb : Protect your assets

As you move into implementation and testing, ensure that your Intellectual Property is protected. Without proper safeguards, others may reverse-engineer your hard work, or worse, steal your designs outright.

 5. Watch the trail : Secure the supply chain

The production phase is a Zero-Trust Zone, whether in-house or outsourced. Malicious actors or insiders could introduce malware or unauthorized copies. Just as climbers check every anchor point, manufacturers must implement Secure Provisioning and supply chain security checks at every step.

 6. Reach the summit early : Stay ahead

Those who summit first with secure, compliant devices will stand tall with a first-mover advantage, while others may find themselves scrambling to retrofit systems under regulatory pressure. But the climb doesn’t end there: cybersecurity is ongoing. Like maintaining base camps from wild animals, vulnerabilities must be managed throughout the device’s lifecycle, including at least five years post-market, through regular secure updates and anti-rollback measures.

 7. Network security at the peak : Secure the environment

Finally, at the top, ensure the environment around your device is also protected. A well-designed PKI (Public Key Infrastructure) implemented and securely stored within a SBM provides a secure foundation for authenticating embedded medical devices on hospital networks, ensuring secure communication while protecting sensitive data from unauthorized access or tampering. Hospitals should implement firewalls, network isolation, maintain traceability, and report vulnerabilities to the proper authorities. Without this last step, even a well-climbed mountain can become unstable.

The journey to cybersecurity excellence is long and demanding, but with the right strategy, tools, and mindset, reaching the top is not only possible, it’s rewarding. Investing early in a end-to-end secure-by-design approach, followed by secure provisioning during manufacturing and protected updates throughout the lifecycle is far more cost-effective than dealing with the fallout of a security breach. After all, building a medical device without proper security is like solo climbing a cliff : why risk everything just to save on the equipment?

Why build from scratch when proven solutions exist?

Developing your own security framework could take over a year, with no guaranteed result. Just like you wouldn’t handcraft your shoes and ropes yourself to climb a mountain, you shouldn’t build security from scratch when robust, trusted solutions already exist.

 At IAR with our embedded security solutions, we support you every step of the way, offering end-to-end tools and training to meet evolving EU regulations like MDR, IVDR, and IEC 81001-5-1.

 Already working on a legacy device or deep into development? It’s not too late to join the ascent. Late-stage security solutions are available to help you retrofit protection and ensure compliance: even near the summit, there are safe paths forward.

Climb to secure embedded success: Equip your team with the right cybersecurity tools

The journey to cybersecurity maturity may be challenging, but it is achievable and ultimately rewarding. With the right foundation, tools, and mindset, you can protect your users, your company, and your reputation.

Learn more about IAR's platform and embedded security solutions or contact IAR to secure your path and lead the industry toward a safer, more resilient healthcare future.