NEMECYS
Medical assessment and design solutions for cybersecurity of connected medical devices
Secure Society Health & WellbeingProject Vision
The European health care system is moving toward personalised, distributed, and home-based services. This is made possible via new and improved connected medical devices (MDs) and in vitro diagnostic devices connected to the internet (together, CMDs), and will benefit health care providers in terms of reduced cost (fewer hospital beds) and improved service. Patients will see improved quality of life in terms of reduced travel time and reduced stress via treatment at home or where they want it. However, for these benefits to be fully realised, the cybersecurity of CMDs needs to be ensured.
NEMECYS will benefit practitioners such as cybersecurity communities, MD manufacturers, CMD scenario system integrators and CMD scenario operators (e.g. health care providers), with downstream benefits to patients and the wider public, through more cost-effective and efficient care enabled via effective and streamlined cybersecurity.
NEMECYS helps practitioners to (i) comply with MD regulations; (ii) to be able to apply proportionate MD cybersecurity (too little security risks exposure, too much is costly and can obstruct clinical care) and (iii) build in cybersecurity by design for both MDs and the connected scenarios they operate in. This is achieved by (i) providing recommendations for best practice and guidelines for MD cybersecurity by design, along with compliance assurance tooling; (ii) providing a risk-benefit scheme to address cybersecurity risk balanced with clinical benefit; and (iii) providing a set of specific tools to address MD cybersecurity by design and their deployment in connected scenarios.
The NEMECYS team has cybersecurity risk experts, two hospitals who are already implementing IoT and remote care-based scenarios, three medical device manufacturers, major computer science research players and experienced systems integrators. This team is ideally placed to ensure that NEMECYS can enable practitioners to apply the right security at the right place.
Project Objectives
NEMECYS will address cybersecurity of connected medical devices (CMDs) via three integrated approaches.
- We will review relevant medical device (MD) guidelines, with the objective of providing recommendations for improvement. In consultation with domain experts we will utilise four exemplary case studies to identify gaps, recommendations to address them, and best practice. We will synthesise the results and feed them back to the relevant communities.
- We will investigate proportionate risk-benefit schemes. We will extend existing state of the art background cybersecurity risk assessment work of the partners to accommodate connected medical device situations where cybersecurity risks of connected and in vitro medical devices are balanced with ethical concerns and clinical benefit to determine proportionate actions based on considerations of vulnerability, patient benefit and rights.
- We will deliver tools and toolboxes targeted at three user types that reflect the lifecycle of CMDs: At design time (supporting CMD Manufacturers), during integration into connected multi-stakeholder scenarios (supporting CMD System Integrators) and in the operation of these scenarios (supporting Operators such as hospitals or care providers). Within the toolboxes, we will provide tools supporting and semi-automating CMD compliance, riskbenefit analysis, data privacy of software (e.g. AI / ML) when it is used as a medical device, secure integration of CMDs in connected scenarios, CMD management and vulnerability detection. The toolboxes will be extensible for new tools developed within the project or from outside. The NEMECYS work will be driven and validated by four case studies in relevant connected medical device and in vitro device scenarios.
IT Innovation's Role
IT Innovation's contribution is extensions to our risk modelling tool that enables cybersecurity risks to be assessed, to find the most appropriate security to mitigate the risks – enough security, but not too much, so that the security does not compromise the clinical benefits offered by the devices.
Project Funding
