Strumenti di valutazione del rischio cyber per reti e dispositivi medici

The interoperability of medical devices and their incorporation onto IT networks are becoming even more pervasive. This coupled with the increase in cyber-attacks on the IT-Networks incorporating medical devices of the Health Delivery Organizations, make the risks to patient safety and data and system security an issue to be considered within the responsible organization risk management process along the whole life cycle of a medical device. In this context, IEC 80001-1, ISO/TR 80001-2-2 and European Regulation n. 745/2017 represent the main cybersecurity normative framework which manufacturers of medical devices have to comply with. The aim of this work is to provide a tool that can be used by manufacturers to evaluate if their medical devices, intended to be incorporated into a medical IT network, conform to the cybersecurity European regulation and most relevant technical standards requirements focused, in particular, on the patient safety. The tool consists of an excel check list that enables the user to verify if the basic risk controls processes and measures have been applied and if the overall risk management approach have been correctly implemented. The tool has been tested in a company developing medical device software for healthcare organizations, BiMind srl. The analysis of results showed that the medical device software concerned is secure as expected, but the tool also highlighted that some process and product security aspects have to be improved in order to further reduce the cybersecurity risks. Nowadays, the patient safety and data and system security results to be critical. However, despite its relevance the topic is not homogeneously regulated today. For this reason a tool concerning the compliance assessment it would be helpful to manufacturers for ensuring an acceptable level of cybersecurity for a medical device integrated in IT-network.