Rising quality awareness as well as increasing cost pressure in the public health sector create high demands on hospitals, pharmaceutical companies, and manufacturers of medical equipment. At the same time, vulnerabilities in modern electronic devices dramatically increase with complexity and connectivity.
For medical companies, Vector Consulting Services provides professional support in developing and optimizing business and engineering processes. As part of the Vector Group, we work with the industry to improve efficiency with reference to Medical SPICE, to manage quality according to standards and to minimize risks and increase safety.
Through necessary change management, our consultants achieve cost efficiency with measurable benefits, thanks to our experiences in implementing lean and agile processes.
"Vector Consulting Services supported Panasonic with cybersecurity, demonstrating an outstanding level of expertise. The goal of a comprehensive TARA integrated into a security concept was achieved. The support was intense and very successful!"
- Michael Prantke, Project Manager, Panasonic
"Vector Consulting has been supporting Realtech with interim management in a professional and effective way. The structured, methodical and consistent management has sustained our development organization and improved our performance."
Vector offers medical device manufacturers a professional support in product development and change management according to industry-specific standards:
Risk management for medical devices (ISO 14971)
Software life cycle for medical devices (IEC 62304)
Quality management for medical devices (ISO 13485)
Medical electrical equipment (IEC 60601)
Safety of Medical Devices depends on Cybersecurity
Security of medical devices is of prime importance as these are dealing with the health and data of people. Most of the devices have limited size and hardware to fit those on to the patient's skin. It leads to low level encryptions of data, giving easy attack potention to the adversaries.
Examples of cyberattacks on medical devices: eavesdropping, data leakage, data corruption, password attacks, sensor confusion, vulnerabilities in application, deceiving forensic examiners (repudiation).
Most security attacks are process and implementation related. Therefore, security is about identification of the attack surface starting with Security Requirements and risk mitigation across the Life-Cycle.
Security by Design
Promoted by safety-driven development
Critical systems should be "Secure by Design"
Fontloading with requirements, bottom-up protection and security engineering
Security by Life-Cycle
Promoted by experiences in IT and Software-intensiv systems
Add-on to traditional "security-by-design" approach
Counters dynamic changes and evolution of threats and secuirty mechanisms
Cybersecurity and Penetration Testing for Medical Systems
Medical devices are increasingly connected and complex in their software. As they often are highly safety-critical, such as pacemakers and insulin pumps, there is a need to strengthen them against cyberattacks. The healthcare industry is using various methods for security verification and validation, such as static code analysis, fuzzing, classic black-box penetration testing (PenTest). Yet we realize that with classic security testing, vulnerability detection is inefficient and incomplete.
In this article we show how an enhanced TARA-based grey-box PenTest (GBPT) needs less test cases while being more effective in terms of coverage while indicating less false positives. With its integration to test-oriented requirements engineering (TORE), it supports a true triple peak method, connecting requirements elicitation, analysis and test strategy. A side effect of GBPT is its minimum viable test set which eases regression testing in agile development and redeliveries, while still being FDA compliant. This article introduces to the GBPT method and applies it to a real-world insulin pump, thus showing its handling and benefits. KPIs are introduced to show efficiency and effectiveness of GBPT.
SPICE (Software Process Improvement and Capability Determination) defines methods for evaluating complete process models and organizations. A distinction is made between process reference models (PRM) and process assessment models (PAM). The former describes process requirements. Based on this, process assessment models define assessments criteria and assessment methods.
When using Medical SPICE, medical device manufacturers can, among other things, gain more security when working with software suppliers. In the automotive sector, SPICE has proven itself in evaluating the performance of development processes. An equivalent evaluation model is now available specifically for medical technology.
Medical SPICE brings two topics together: check compliance and measure and improve process capability. With Medical SPICE, medical companies can, e.g. Reduce risks for audit and approval, control risks of suppliers and improve process capability and security.
Pragmatic and objective-driven application of Medical SPICE, based on our broad and long-standing experiences
Implementation of comprehensive improvement programs
Support to successfully achieve a target maturity level
Conducting appraisals with experienced authorized assessors
Supplier assessments and optimization of supplier processes
Process and project assessments with Medical SPICE
Application of Medical SPICE to improve systems, software, hardware and mechanics development
SIEMENS INDUSTRY CASE STUDY
Lean Requirements Engineering
Software-intensive critical systems in medical technology are under immense market pressure. While they must be technologically innovative, and exhibit safety without any compromise, the global markets require an ever shorter cycle time with simutaneous efficiency pressure. This Siemens industry case study showed increased productivity through lean and efficient development processes.