Breaking

ManiMed: Market Analysis

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Intitial Situation

To select appropriate devices for security assessments whithin project ManiMed, the following requirements have been established by the BSI:

Requirements for medical devices within the market analysis.
Figure 1: Requirements for medical devices within the market analysis. [1, p. 24]
These four constraints/requirements have to be met for devices subjected to IT security assessments apart from the fact that the selected device categories are dependent on high security postures due to their impact on patient safety.

However, these selection criteria may also introduce certain biases to the results of the security assessment for the following reasons:

  • The date, January 1, 2014, is deemed reasonable to include only devices with novel communication interfaces that might be affected by vulnerabilities. Devices placed on the German market before this date might also possess such interfaces, but these devices are excluded from the analysis.
  • Excluding devices on which vulnerabilities were already disclosed in the past or which were part of a published security assessment might also incur a bias for this assessment. Primarily because these devices might yield additional security vulnerabilities apart from what was already published, therefore reducing possible findings within this project. However, these devices might still have additional security vulnerabilities apart from the already published ones or the ones discovered via the security assessment. On the other hand, if no security vulnerabilities have been published so far, this could mean that either the vendor himself is performing intensive security assessments before the market release or that nobody has analyzed the device yet. The market analysis does not consider these points.

The following categories were chosen prior to the start of this project:

Medical device categories for market analysis.
Figure 2: Medical device categories for market analysis. [1, p. 25]
All selected categories correspond to devices that might have a critical impact on patient safety in case of security issues.To search for devices that fulfill the requirements listed in Figure 1 and belong to one of the categories listed in Figure 2, several sources were utilized that are presented in the following. For each device category, the results of this search are illustrated as flow charts. Further information on the selection criteria used in the different iterations of the search is provided there. Detailed information about the devices assessed and the results of the assessments are given in subsequent blog posts.

Sources

The following sources were used to perform the market analysis:

  • Medical Devices Notifications Database
  • Inquiry to Medical Facilities
  • Public Information from Medical Device Vendors
  • Internet Research
  • Questionnaire to Vendors

Medical Devices Notifications Database

The Federal Institute for Drugs and Medical Devices (BfArM) operates an information system on medical devices used, for example, for notifying competent authorities according to § 33 of the Act on Medical Devices [2]. The public part of this information system contains the Medical Devices Notifications (MPA) database. At the time of this investigation (June 04, 2019), the database comprised 105,730 medical devices since the beginning of data acquisition in 2002. This count constantly changes, as the database receives daily updates. Requests to the database are sent via the MPA SmartSearch interface. This interface allows defining individual fields of the database and combining search queries. Certain fields feature a fixed range of possible values, which can be queried via an index. Furthermore, searches with wildcards for free text fields are possible. The results of a query can be exported via a watchlist in XML format. The MPA database can be accessed using the Medical Device Information System box provided by BfArM [3].

Not all medical devices approved for the German market are included within the database. It stands to reason that an incomplete synchronization causes this discrepancy with other medical device databases in the European Union. For example, if the first placing of a medical device occurred in another state of the EU, it is likely to be registered with the corresponding national database only. Furthermore, some manufacturers do not register complete devices in these databases but file different components and modules separately. This makes it very difficult for others to reconstruct all necessary parts of a device. Therefore, additional sources to identify medical devices approved for the German market were used.

Inquiry to Medical Facilities

To estimate which medical devices facilities in Germany use, inquiries were sent to selected facilities with an appeal to provide information on their inventory of medical devices. The template for the letters can be found in the report [1] in Section 8.2.

Public Information of Medical Device Vendors

As a third source, information that has been published by the medical device vendors was used to identify additional medical devices. Online search engines, the MPA data, and the inquiry to the medical facilities were utilized to identify vendors for medical devices within the different categories. Afterward, the vendor’s device portfolio was analyzed for suitable devices. Specifications for the devices were used to investigate if the device features any networking functionality or other promising interfaces.

Internet Research

Apart from the information published by medical device vendors, lists of exhibitors of relevant medical informatics and medical product fairs were used to maximize the number of vendors for the market analysis. This search was predominantly conducted online. It includes the Digital Medical Expertise & Applications (DMEA) and the MEDICA. Both fairs are internationally recognized and the largest in their respective branches, which has the advantage that exhibitors on these fairs represent a significant percentage of the global medical device market.

Moreover, recent technical advances in the medical field were incorporated via an investigation of scientific publications and case studies as well as practical evaluations of national and international pilot projects. For example, PubMed (NCBI) was used as one of the sources for this investigation. PubMed is an English, text-based Meta database containing medical and scientific articles. The database is developed and operated by the National Center for Biotechnology Information (NCBI) within the National Library of Medicine (NLM) by the National Institute of Health (NIH) of the USA.

A further source is the German National Library (German: Deutsche Nationalbibliothek, DNB), which is the central archive library for all media work published in German (DNB).

No further devices could be identified via this method, i.e. all devices were already identified via other sources.

Questionnaire to Vendors

In individual cases, where only limited information was available, a questionnaire was sent to the medical device vendors to gain further information. The content of the questionnaire is provided in the report’s Section 8.3 [1].

Results

The selection of the devices for each category is based on the sources presented. The overall selection process follows the steps laid out in Figure 3.

The figure shows the basic selection of medical devices containing all devices that have been identified via the Internet research, the medical MPA database research, and the responses to the inquiries sent to health delivery organizations. Afterward, the devices were evaluated for their communication interfaces and devices were sorted out that do not possess relevant communication interfaces. For the remaining devices, it was evaluated if vulnerabilities or reports about security assessments have already been published. If not, these devices were included in the preselection. In a final step, if there were more than five devices left, vendors were queried for more details on the devices. The details were used to generate a prioritized list of devices for the assessment. It is noted that selected devices are further described from a technical perspective in Section 3.

The overall selection process performed during the market analysis..
Figure 3: The overall selection process performed during the market analysis. [1, p. 27]

Implantable Pacemakers, Programmers, Home Monitoring Units

For the market analysis of medical devices, the Medical Device Notifications (MPA) database was used as a basis. Here, the exemplary analysis focuses on pacemakers approved in Germany that were granted access to the market in the past five years. Figure 4 shows the selection process for pacemakers along with the associated selection criteria in a flow chart. The criteria modification date, type of report, and category are strict exclusion criteria of this database search.

The search with the MPA database resulted in 19 potential devices. However, after a manual review of these devices, it was asserted that the devices did not contain any interfaces worth investigating in an IT security assessment. Moreover, in this category, every single part of the pacemaker system is listed separately. The final implanted product is more like a construction system to enable flexibility, compatibility between multiple products of the same product family, and ease certification. Moreover, the inquiries sent to medical facilities yielded no further device information. Finally, the 2016 annual report of the German Pacemaker and Defibrillator Registry [4] was consulted as it contains a list quantifying the number of implanted pacemakers per vendor in 2014, 2015, and 2016. Such a list was not included in the 2017 report, so the 2017 report could not be used to obtain this data.
Flow chart illustrating the MPA search process for implantable pacemakers.
Figure 4: Flow chart illustrating the MPA search process for implantable pacemakers. [1, p. 29]

Based on the information in the report (in particular the market distribution of vendors), the following pacemaker infrastructures were selected for the assessment:

  • Biotronik: Rivacor 7 VR-T DX, Renamic Neo, Cardio Messenger Smart
  • Medtronic: CareLink SmartSync Device Manager System

Insulin Pumps

The research focuses on outpatient insulin pumps licensed in Germany. Clinical insulin infusion pumps are not considered in this category. Figure 5 shows the selection process used for insulin pumps along with associated selection criteria in a flow chart. The criteria modification date, type of report, category, and nomenclature term were strict exclusion criteria for this database search. These results were expanded after a manual review by the Internet research results and feedback on health delivery organizations’ devices. They were also filtered by the exclusion criteria interfaces and focus to obtain a prioritized list of the devices.

As shown in Figure 5, eight devices fulfilling the requirements were identified after applying the exclusion criteria to the database search. Moreover, the inquiries sent to medical facilities resulted in no further devices.For the Internet research, patient portals, Internet forums, and information websites were systematically searched for device lists and device reviews. Four insulin pumps were identified, which gained approval for the German market after January 1, 2014, and are not listed in the MPA database.In sum, twelve devices could be identified after all three sources were evaluated. These devices were further examined for their attack surface, i.e., if these devices have any communication interfaces implemented. This yielded six devices. Furthermore, devices for which vulnerabilities were published had to be excluded such that a total number of four devices remained.
Flow chart illustrating the selection process for insulin pumps.
Figure 5: Flow chart illustrating the selection process for insulin pumps. [1, p. 31]

To select the devices to be further analyzed within an IT security assessment, priority was assigned to pumps where a mobile app can control the pump in comparison where it can only read historical data. Overall, the following insulin pump systems were selected for the IT security assessment:

  • SOOIL: DANA Diabecare RS, AnyDANA-i & AnyDANA-a mobile Apps
  • Ypsomed: mylife YpsoPump, mylife App, mylife Cloud

Ventilators

The analysis focuses on ventilators and anesthesia devices approved for Germany. Humidifiers, heaters, and distributors of gases remain out of consideration. Figure 6 shows the selection process used for ventilators along with associated selection criteria in a flow chart. The criteria modification date, type of report, type of product, category, and medical device class were strict exclusion criteria for the database search. These results were expanded after a manual review by the Internet research results and the feedback on devices by health delivery organizations. Two exclusion criteria further filtered them: interfaces and focus. After obtaining further information utilizing questionnaires sent to vendors, a prioritized list of these devices was created.

As shown in Figure 6, after applying the exclusion criteria to the database search, 56 devices fulfilling the requirements were identified. Moreover, three clinical ventilators were reported in response to the inquiry sent to clinical facilities, of which two were eligible regarding their appearance on the German market. However, both devices were already identified by searching the MPA database.For the Internet research, ventilators were searched on websites of, for example, medical technology fairs such as MEDICA for devices not yet included in the result set. In the process, 20 devices were identified, which were possible candidates but not listed in the MPA database. It should be mentioned that devices were also included if no specific date of approval for the German market could be identified.Therefore, 78 devices were identified after making use of all three sources. These devices were further examined for their attack surface, i.e., if these devices have any communication interfaces implemented. This resulted in a total number of 31 devices. Furthermore, none of the devices had publicly known vulnerabilities and, hence, none of the devices were excluded.
Flow chart illustrating the selection process for ventilators.
Figure 6: Flow chart illustrating the selection process for ventilators. [1, p. 33]

To select devices for the IT security assessment, the degree of device networking functionalities advertised by the vendor, and the health delivery organizations’ feedback were considered. Overall, the Hamilton Medical AG HAMILTON-T1 ventilator was selected for the IT security assessment. It was planned to assess two ventilators during the ManiMed project. As a response to the situation and circumstances coming along with the Covid-19 pandemic, the second ventilator was not tested within the project timeframe.

Infusion and Syringe Pumps

The research focuses on syringe and infusion pumps. Figure 7 shows the selection process used for syringe and infusion pumps along with associated selection criteria in a flow chart. The criteria modification date, type of notification and, UMDNS code were strict exclusion criteria for this database search. These results were expanded after a manual review by the Internet research results and feedback on health delivery organizations’ devices. They are also filtered by the exclusion criteria interfaces and focus. After obtaining further information utilizing questionnaires sent to vendors, a prioritized list of devices in the result set was generated.

As shown in Figure 7, no device listed in the database fulfilled all requirements, and the selected table was returned empty.The questionnaires sent to medical facilities resulted in seven devices of clinical infusion and syringe pumps. Additionally, different websites, e.g., medical technology trade fairs such as MEDICA, were evaluated for viable infusion and syringe pumps during the Internet research. Furthermore, at the beginning of the search, feedback from health delivery organizations was already available, so that the devices reported therein could be utilized as a starting point. 34 devices were identified that are not listed in the MPA database. It should be noted that devices are also included for which no specific date of approval for the German market could be identified. Furthermore, most infusion systems were put on the market before 2014 and are regularly expanded by new pumps. Therefore, the market access criterion was not used as a strict exclusion criterion; otherwise, no devices would be available for subsequent security analysis.Infusion and syringe pumps are rarely used alone in a clinical context, as multiple drugs and infusions are often administered in parallel with different pumps. For this reason, they have no additional networking interfaces except for infrared and serial interfaces. Instead, they are aggregated into docking stations, which then provide a shared networking interface for all pumps. For this reason, networked infusion and syringe pumps in this project were analyzed in combination with their device series, as they usually have a networked docking station. For the device series to remain in the result set, they needed at least one network interface, e.g. WLAN, Ethernet, RFID / NFC or Bluetooth for connection to a Patient Data Management Systems (PDMS). To filter these interfaces, technical device datasheets, flyers, and manuals were used. Overall, this resulted in seven device ecosystems. Two of these ecosystems already had published vulnerabilities leaving five of them as eligible candidates for this assessment.To select the devices for further analysis within an IT security assessment, priority was given to infusion and syringe pumps based on feedback from health delivery organizations and existing interfaces. Network interfaces such as Ethernet and WLAN were prioritized first, followed by USB and serial interfaces. To choose between devices with similar interfaces, the number of devices purchased by participating health delivery organizations was considered.
Flow chart illustrating the selection process, for infusion and syringe pumps.
Figure 7: Flow chart illustrating the selection process, for infusion and syringe pumps. [1. p. 35]

As stated, a second ventilator was not tested. Instead, a third infusion system was selected for the IT security assessment:

  • B. Braun Melsungen AG: Space System
  • Anonymous: Infusion System #1
  • Anonymous: Infusion System #2

Moreover, a pump management system for syringe and infusion pumps was tested:

  • COPRA System GmbH: Copus (Copra Pump Management System)

Patient Monitors

The research focuses on patient monitors approved in Germany. Here, ECG and EEG devices are out of consideration. The diagram in Figure 8 shows the selection process used for the patient monitors along with associated selection criteria in a flow chart. The criteria modification date, type of notification, and UMDNS code were strict exclusion criteria for this database search. These results were expanded after a manual review by the Internet research results and feedback on health delivery organizations’ devices. They are also filtered by the exclusion criteria interfaces and focus. After obtaining further information utilizing questionnaires sent to vendors, a prioritized list of devices in the result set was created.

As shown in Figure 8, after every exclusion criterion was applied and the devices were manually reviewed for their attack surface, eight devices were left. Moreover, at the time of writing, five clinical patient monitor devices were reported by health deliver organizations, but four were launched before 2014 and, therefore, not eligible for testing. As a result, only one additional device was obtained from the response from health delivery organizations.For the Internet research, patient monitors were searched on medical technology fairs’ websites, such as MEDICA, for devices not yet included in the result set. 18 devices could be identified that were approved for the German market after January 1, 2014 and were not listed in the MPA database of BfArM.Overall, the three sources resulted in 27 feasible devices. However, four devices had already published vulnerabilities, and eight devices possessed no relevant network interfaces such that the search resulted in a total number of 15 devices.A prioritizing factor was the date of market access, so newer devices were preferred over older ones. Also, devices with a central management software were favored over devices without such a solution. Furthermore, extended network functionality such as centralized user management via, e.g., LDAP or standardized communication interfaces such as HL7 standards or ADT, had a higher priority. Specialized devices for use in limited applications, such as devices that can be used within magnetic resonance tomography, were given less priority because they usually exhibit fewer interfaces due to the environmental conditions.
Flow chart illustrating the selection process for patient monitors.
Figure 8: Flow chart illustrating the selection process for patient monitors. [1. p. 37]

Overall, the following patient monitors were selected for the IT security assessment:

  • Innokas Yhtymä Oy: VC 150 Patient Monitor
  • Philips: InIntelliVue MX850, Patient Information Center iX

Conclusions

The following elucidations conclude the market analysis in particular the process of gathering information about medical devices.

When the Medical Device Regulation (MDR) comes into effect, EUDAMED will be the central database where information on medical devices must be made available during the European market’s approval process However, in the project, the EUDAMED database was not used.

A few issues have been identified regarding the MPA database while collecting data used for this project. First, the database does not provide technical information about the communication interfaces of the medical devices. As the main reason for the market analysis was to identify medical devices with an appropriate attack surface (e.g., wireless communication interfaces such as Bluetooth or physical interfaces such as USB). This information could not be retrieved from the database and had to be collected by other means, for example, via the datasheets provided by the FDA (in the case that the device is listed there). Providing such information would not only be valuable for the data collection process performed within this project. However, it may also be of interest to patients with a technical interest to understand medical devices’ communication interfaces in a particular device category. It remains to be observed how far the EUDAMED database can provide such information. However, from the authors’ perspective, a database providing technical information about the communication interfaces is useful for different audiences. The information that should be contained in such a database for a medical device is the types of interfaces (i.e., USB 3.0, Ethernet) and a reference to the interfaces’ technical datasheet.

Moreover, during the information gathering using the MPA database, it was found that not necessarily all approved devices on the German market have been listed within this database. Reasons that could be identified were product families that build a construction system to enable flexibility, compatibility between multiple products of the same product family, which resulted in listing the individual part separately. Further, the database does not contain sufficient information about medical software certified as Software as Medical Device (SaMD). Other possibilities for not identifying all products could be that only access to the public part of the database is possible for private parties.

References

[1] Bundesamt für Sicherheit in der Informationstechnik (BSI). Veröffentlichungen. Online (accessed January 11, 2021): https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Veroeffentlichungen/cybermed_node.html

[2] Bundesgesetzblatt. (2. August 1994). Gesetz über Medizinprodukte. Online (accessed January 11, 2021): https://www.gesetze-im-internet.de/mpg/

[3] Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM). Medizinproduke-Informationssystem. Online (accessed January 11, 2021) https://www.dimdi.de/dynamic/de/medizinprodukte/informationssystem/

[4] IQTIG. (2016). Jahresbericht 2016 des Deutschen Herzschrittmacher- und Defibrillatorregister – Teil 1 Herzschrittmacher. Online (accessed January 11, 2021): https://pacemaker-register.de/wp-content/uploads/Jahresbericht-2016-des-Deutschen-Herzschrittmacher-und-Defibrillatorregister-Teil-1-Herzschrittmacher.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *