Manipulating Medical Devices
The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website .
To select appropriate devices for security assessments whithin project ManiMed, the following requirements have been established by the BSI:
These four constraints/requirements have to be met for devices subjected to IT security assessments apart from the fact that the selected device categories are dependent on high security postures due to their impact on patient safety.
However, these selection criteria may also introduce certain biases to the results of the security assessment for the following reasons:
- The date, January 1, 2014, is deemed reasonable to include only devices with novel communication interfaces that might be affected by vulnerabilities. Devices placed on the German market before this date might also possess such interfaces, but these devices are excluded from the analysis.
- Excluding devices on which vulnerabilities were already disclosed in the past or which were part of a published security assessment might also incur a bias for this assessment. Primarily because these devices might yield additional security vulnerabilities apart from what was already published, therefore reducing possible findings within this project. However, these devices might still have additional security vulnerabilities apart from the already published ones or the ones discovered via the security assessment. On the other hand, if no security vulnerabilities have been published so far, this could mean that either the vendor himself is performing intensive security assessments before the market release or that nobody has analyzed the device yet. The market analysis does not consider these points.
The following categories were chosen prior to the start of this project:
All selected categories correspond to devices that might have a critical impact on patient safety in case of security issues.To search for devices that fulfill the requirements listed in Figure 1 and belong to one of the categories listed in Figure 2, several sources were utilized that are presented in the following. For each device category, the results of this search are illustrated as flow charts. Further information on the selection criteria used in the different iterations of the search is provided there. Detailed information about the devices assessed and the results of the assessments are given in subsequent blog posts.
The following sources were used to perform the market analysis:
- Medical Devices Notifications Database
- Inquiry to Medical Facilities
- Public Information from Medical Device Vendors
- Internet Research
- Questionnaire to Vendors
Medical Devices Notifications Database
The Federal Institute for Drugs and Medical Devices (BfArM) operates an information system on medical devices used, for example, for notifying competent authorities according to § 33 of the Act on Medical Devices . The public part of this information system contains the Medical Devices Notifications (MPA) database. At the time of this investigation (June 04, 2019), the database comprised 105,730 medical devices since the beginning of data acquisition in 2002. This count constantly changes, as the database receives daily updates. Requests to the database are sent via the MPA SmartSearch interface. This interface allows defining individual fields of the database and combining search queries. Certain fields feature a fixed range of possible values, which can be queried via an index. Furthermore, searches with wildcards for free text fields are possible. The results of a query can be exported via a watchlist in XML format. The MPA database can be accessed using the Medical Device Information System box provided by BfArM .
Not all medical devices approved for the German market are included within the database. It stands to reason that an incomplete synchronization causes this discrepancy with other medical device databases in the European Union. For example, if the first placing of a medical device occurred in another state of the EU, it is likely to be registered with the corresponding national database only. Furthermore, some manufacturers do not register complete devices in these databases but file different components and modules separately. This makes it very difficult for others to reconstruct all necessary parts of a device. Therefore, additional sources to identify medical devices approved for the German market were used.
Inquiry to Medical Facilities
To estimate which medical devices facilities in Germany use, inquiries were sent to selected facilities with an appeal to provide information on their inventory of medical devices. The template for the letters can be found in the report  in Section 8.2.
Public Information of Medical Device Vendors
As a third source, information that has been published by the medical device vendors was used to identify additional medical devices. Online search engines, the MPA data, and the inquiry to the medical facilities were utilized to identify vendors for medical devices within the different categories. Afterward, the vendor’s device portfolio was analyzed for suitable devices. Specifications for the devices were used to investigate if the device features any networking functionality or other promising interfaces.
Apart from the information published by medical device vendors, lists of exhibitors of relevant medical informatics and medical product fairs were used to maximize the number of vendors for the market analysis. This search was predominantly conducted online. It includes the Digital Medical Expertise & Applications (DMEA) and the MEDICA. Both fairs are internationally recognized and the largest in their respective branches, which has the advantage that exhibitors on these fairs represent a significant percentage of the global medical device market.
Moreover, recent technical advances in the medical field were incorporated via an investigation of scientific publications and case studies as well as practical evaluations of national and international pilot projects. For example, PubMed (NCBI) was used as one of the sources for this investigation. PubMed is an English, text-based Meta database containing medical and scientific articles. The database is developed and operated by the National Center for Biotechnology Information (NCBI) within the National Library of Medicine (NLM) by the National Institute of Health (NIH) of the USA.
A further source is the German National Library (German: Deutsche Nationalbibliothek, DNB), which is the central archive library for all media work published in German (DNB).
No further devices could be identified via this method, i.e. all devices were already identified via other sources.
Questionnaire to Vendors
In individual cases, where only limited information was available, a questionnaire was sent to the medical device vendors to gain further information. The content of the questionnaire is provided in the report’s Section 8.3 .
The selection of the devices for each category is based on the sources presented. The overall selection process follows the steps laid out in Figure 3.
The figure shows the basic selection of medical devices containing all devices that have been identified via the Internet research, the medical MPA database research, and the responses to the inquiries sent to health delivery organizations. Afterward, the devices were evaluated for their communication interfaces and devices were sorted out that do not possess relevant communication interfaces. For the remaining devices, it was evaluated if vulnerabilities or reports about security assessments have already been published. If not, these devices were included in the preselection. In a final step, if there were more than five devices left, vendors were queried for more details on the devices. The details were used to generate a prioritized list of devices for the assessment. It is noted that selected devices are further described from a technical perspective in Section 3.
Implantable Pacemakers, Programmers, Home Monitoring Units
For the market analysis of medical devices, the Medical Device Notifications (MPA) database was used as a basis. Here, the exemplary analysis focuses on pacemakers approved in Germany that were granted access to the market in the past five years. Figure 4 shows the selection process for pacemakers along with the associated selection criteria in a flow chart. The criteria modification date, type of report, and category are strict exclusion criteria of this database search.
Based on the information in the report (in particular the market distribution of vendors), the following pacemaker infrastructures were selected for the assessment:
- Biotronik: Rivacor 7 VR-T DX, Renamic Neo, Cardio Messenger Smart
- Medtronic: CareLink SmartSync Device Manager System
The research focuses on outpatient insulin pumps licensed in Germany. Clinical insulin infusion pumps are not considered in this category. Figure 5 shows the selection process used for insulin pumps along with associated selection criteria in a flow chart. The criteria modification date, type of report, category, and nomenclature term were strict exclusion criteria for this database search. These results were expanded after a manual review by the Internet research results and feedback on health delivery organizations’ devices. They were also filtered by the exclusion criteria interfaces and focus to obtain a prioritized list of the devices.
To select the devices to be further analyzed within an IT security assessment, priority was assigned to pumps where a mobile app can control the pump in comparison where it can only read historical data. Overall, the following insulin pump systems were selected for the IT security assessment:
- SOOIL: DANA Diabecare RS, AnyDANA-i & AnyDANA-a mobile Apps
- Ypsomed: mylife YpsoPump, mylife App, mylife Cloud
The analysis focuses on ventilators and anesthesia devices approved for Germany. Humidifiers, heaters, and distributors of gases remain out of consideration. Figure 6 shows the selection process used for ventilators along with associated selection criteria in a flow chart. The criteria modification date, type of report, type of product, category, and medical device class were strict exclusion criteria for the database search. These results were expanded after a manual review by the Internet research results and the feedback on devices by health delivery organizations. Two exclusion criteria further filtered them: interfaces and focus. After obtaining further information utilizing questionnaires sent to vendors, a prioritized list of these devices was created.
To select devices for the IT security assessment, the degree of device networking functionalities advertised by the vendor, and the health delivery organizations’ feedback were considered. Overall, the Hamilton Medical AG HAMILTON-T1 ventilator was selected for the IT security assessment. It was planned to assess two ventilators during the ManiMed project. As a response to the situation and circumstances coming along with the Covid-19 pandemic, the second ventilator was not tested within the project timeframe.
Infusion and Syringe Pumps
The research focuses on syringe and infusion pumps. Figure 7 shows the selection process used for syringe and infusion pumps along with associated selection criteria in a flow chart. The criteria modification date, type of notification and, UMDNS code were strict exclusion criteria for this database search. These results were expanded after a manual review by the Internet research results and feedback on health delivery organizations’ devices. They are also filtered by the exclusion criteria interfaces and focus. After obtaining further information utilizing questionnaires sent to vendors, a prioritized list of devices in the result set was generated.
As stated, a second ventilator was not tested. Instead, a third infusion system was selected for the IT security assessment:
- B. Braun Melsungen AG: Space System
- Anonymous: Infusion System #1
- Anonymous: Infusion System #2
Moreover, a pump management system for syringe and infusion pumps was tested:
- COPRA System GmbH: Copus (Copra Pump Management System)
The research focuses on patient monitors approved in Germany. Here, ECG and EEG devices are out of consideration. The diagram in Figure 8 shows the selection process used for the patient monitors along with associated selection criteria in a flow chart. The criteria modification date, type of notification, and UMDNS code were strict exclusion criteria for this database search. These results were expanded after a manual review by the Internet research results and feedback on health delivery organizations’ devices. They are also filtered by the exclusion criteria interfaces and focus. After obtaining further information utilizing questionnaires sent to vendors, a prioritized list of devices in the result set was created.
Overall, the following patient monitors were selected for the IT security assessment:
- Innokas Yhtymä Oy: VC 150 Patient Monitor
- Philips: InIntelliVue MX850, Patient Information Center iX
The following elucidations conclude the market analysis in particular the process of gathering information about medical devices.
When the Medical Device Regulation (MDR) comes into effect, EUDAMED will be the central database where information on medical devices must be made available during the European market’s approval process However, in the project, the EUDAMED database was not used.
A few issues have been identified regarding the MPA database while collecting data used for this project. First, the database does not provide technical information about the communication interfaces of the medical devices. As the main reason for the market analysis was to identify medical devices with an appropriate attack surface (e.g., wireless communication interfaces such as Bluetooth or physical interfaces such as USB). This information could not be retrieved from the database and had to be collected by other means, for example, via the datasheets provided by the FDA (in the case that the device is listed there). Providing such information would not only be valuable for the data collection process performed within this project. However, it may also be of interest to patients with a technical interest to understand medical devices’ communication interfaces in a particular device category. It remains to be observed how far the EUDAMED database can provide such information. However, from the authors’ perspective, a database providing technical information about the communication interfaces is useful for different audiences. The information that should be contained in such a database for a medical device is the types of interfaces (i.e., USB 3.0, Ethernet) and a reference to the interfaces’ technical datasheet.
Moreover, during the information gathering using the MPA database, it was found that not necessarily all approved devices on the German market have been listed within this database. Reasons that could be identified were product families that build a construction system to enable flexibility, compatibility between multiple products of the same product family, which resulted in listing the individual part separately. Further, the database does not contain sufficient information about medical software certified as Software as Medical Device (SaMD). Other possibilities for not identifying all products could be that only access to the public part of the database is possible for private parties.
 Bundesamt für Sicherheit in der Informationstechnik (BSI). Veröffentlichungen. Online (accessed January 11, 2021): https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Veroeffentlichungen/cybermed_node.html
 Bundesgesetzblatt. (2. August 1994). Gesetz über Medizinprodukte. Online (accessed January 11, 2021): https://www.gesetze-im-internet.de/mpg/
 Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM). Medizinproduke-Informationssystem. Online (accessed January 11, 2021) https://www.dimdi.de/dynamic/de/medizinprodukte/informationssystem/
 IQTIG. (2016). Jahresbericht 2016 des Deutschen Herzschrittmacher- und Defibrillatorregister – Teil 1 Herzschrittmacher. Online (accessed January 11, 2021): https://pacemaker-register.de/wp-content/uploads/Jahresbericht-2016-des-Deutschen-Herzschrittmacher-und-Defibrillatorregister-Teil-1-Herzschrittmacher.pdf