For our considerations, only devices
with hardware, software, and some
form of interoperability are of interest.
Artificial joints, for example, do not
do any processing, that is, there is no
software involved. Thus, we can ignore
them from a security perspective. How-
ever, they may indeed be critical from a
safety point of view.
At this point, we emphasize the
importance of secure medical de-
vices. It is not really about preventing
someone from killing someone else
by means of a medical device. How-
ever remote and unlikely this scenario
might sound, it is not completely im-
plausible. Securing medical devices
is securing a critical infrastructure. It
is about preventing malicious people
from taking control of this infrastruc-
ture, about preventing a potential
blackmail of device manufacturers
or health institutions, and about the
sense of well-being of any person who
needs to use any such device.
Major IT security incidents that affect
the general public are almost regu-
larly reported in the media. Examples
include stolen passwords, stolen
credit card information, or website
availability problems. The loss, theft,
or exposure of personally identifiable
information is one major problem
that is also widespread in the health
care sector, which accounts for one-
fifth of all these reported issues.
The FDA collects information regard-
ing reportable issues with medical
devices to capture and identify ad-
verse and unexpected events for a
particular device or device type. Each
year, several hundred thousand med-
ical device reports are received about
suspected device-associated deaths,
serious injuries, and malfunctions.
An analysis of these recalls and
events has shown that both the num-
ber of recalls and adverse events have
increased over the years.