Rising quality awareness as well as increasing cost pressure in the public health sector create high demands on hospitals, pharmaceutical companies, and manufacturers of medical equipment. At the same time, vulnerabilities in modern electronic devices dramatically increase with complexity and connectivity.
For medical companies, Vector Consulting Services provides professional support in developing and optimizing business and engineering processes. As part of the Vector Group, we work with the industry to improve efficiency with reference to Medical SPICE, to manage quality according to standards and to minimize risks and increase safety.
Through necessary change management, our consultants achieve cost efficiency with measurable benefits, thanks to our experiences in implementing lean and agile processes.
"Vector Consulting Services supported Panasonic with cybersecurity, demonstrating an outstanding level of expertise. The goal of a comprehensive TARA integrated into a security concept was achieved. The support was intense and very successful!"
- Michael Prantke, Project Manager, Panasonic
"Vector Consulting has been supporting Realtech with interim management in a professional and effective way. The structured, methodical and consistent management has sustained our development organization and improved our performance."
Vector Consulting supports implementing and gap/risk analysis for standards required for medical product development:
Quality Assurance with ISO 13485 (Medical devices, Quality management systems, Requirements for regulatory purposes). Based on traditional quality management standards and adapted to the medical domain.
Medical SPICE for medical product development processes. Medical SPICE is based on the ISO 33001 (Information technology, Process assessment, Concepts and terminology) framework for assessments and improvement of software development processes.
IEC 62304 (Medical device software, software life cycle processes) specifies life cycle requirements for the development of medical software is building upon the widely used ISO/IEC 12207. It enhances life-cycle management by governance and observability, and mapping to specific medical needs.
ISO 14971 (Medical devices, Application of risk management to medical devices, medical risk management process) consists of several steps for the design, development and production of every medical device.
Medical Devices Regulation and In-vitro Diagnostics Regulation (MDR/IVDR) which set forth requirements for medical device and in vitro diagnostic manufacturers that distribute products in the EU.
IEC 62366 (medical devices, application of usability engineering to medical devices) is the primary standard and specifies usability requirements for the development of medical devices, including negative use cases such as misuse and abuse. Usability matters for medical devices because they combine highest safety demands with lots of direct human interaction by a variety of stakeholders ranging from doctors to nurses, and from administrators to technicians.
Application of general-purpose standards to medical software development, such as test-management according to ISO/IEC/IEEE 29119 (software and systems engineering, software testing) for software testing, IEC 61508 for functional safety of electronic components and ISO 27001 which provides a framework for organizations to establish, implement, operate, monitor, review, maintain and continually improve the Information Security Management System (ISMS).
Safety of Medical Devices Depends on Cybersecurity
Security of medical devices is of prime importance as these are dealing with the health and data of people. Most of the devices have limited size and hardware to fit those on to the patient's skin. It leads to low level encryptions of data, giving easy attack potention to the adversaries.
Examples of cyberattacks on medical devices: eavesdropping, data leakage, data corruption, password attacks, sensor confusion, vulnerabilities in application, deceiving forensic examiners (repudiation).
Most security attacks are process and implementation related. Therefore, security is about identification of the attack surface starting with Security Requirements and risk mitigation across the Life-Cycle.
Security by Design
Promoted by safety-driven development
Critical systems should be "Secure by Design"
Fontloading with requirements, bottom-up protection and security engineering
Security by Life-Cycle
Promoted by experiences in IT and Software-intensiv systems
Add-on to traditional "security-by-design" approach
Counters dynamic changes and evolution of threats and secuirty mechanisms
Cybersecurity and Penetration Testing for Medical Systems
Medical devices are increasingly connected and complex in their software. As they often are highly safety-critical, such as pacemakers and insulin pumps, there is a need to strengthen them against cyberattacks. The healthcare industry is using various methods for security verification and validation, such as static code analysis, fuzzing, classic black-box penetration testing (PenTest). Yet we realize that with classic security testing, vulnerability detection is inefficient and incomplete.
In this article we show how an enhanced TARA-based grey-box PenTest (GBPT) needs less test cases while being more effective in terms of coverage while indicating less false positives. With its integration to test-oriented requirements engineering (TORE), it supports a true triple peak method, connecting requirements elicitation, analysis and test strategy. A side effect of GBPT is its minimum viable test set which eases regression testing in agile development and redeliveries, while still being FDA compliant. This article introduces to the GBPT method and applies it to a real-world insulin pump, thus showing its handling and benefits. KPIs are introduced to show efficiency and effectiveness of GBPT.
SPICE (Software Process Improvement and Capability Determination) defines methods for evaluating complete process models and organizations. A distinction is made between process reference models (PRM) and process assessment models (PAM). The former describes process requirements. Based on this, process assessment models define assessments criteria and assessment methods.
When using Medical SPICE, medical device manufacturers can, among other things, gain more security when working with software suppliers. In the automotive sector, SPICE has proven itself in evaluating the performance of development processes. An equivalent evaluation model is now available specifically for medical technology.
Medical SPICE brings two topics together: check compliance and measure and improve process capability. With Medical SPICE, medical companies can, e.g. Reduce risks for audit and approval, control risks of suppliers and improve process capability and security.
Pragmatic and objective-driven application of Medical SPICE, based on our broad and long-standing experiences
Implementation of comprehensive improvement programs
Support to successfully achieve a target maturity level
Conducting appraisals with experienced authorized assessors
Supplier assessments and optimization of supplier processes
Process and project assessments with Medical SPICE
Application of Medical SPICE to improve systems, software, hardware and mechanics development
SIEMENS INDUSTRY CASE STUDY
Lean Requirements Engineering
Software-intensive critical systems in medical technology are under immense market pressure. While they must be technologically innovative, and exhibit safety without any compromise, the global markets require an ever shorter cycle time with simutaneous efficiency pressure. This Siemens industry case study showed increased productivity through lean and efficient development processes.