Continuous security patch delivery and risk management for medical devices

This paper is a case study describing our practical experience in the area of cybersecurity for medical devices. We describe how Siemens Healthineers uses a continuous security patch delivery model in a regulated market across 15+ business lines which cover our huge portfolio of imaging modalities, laboratory and point-of-care instruments. The case study addresses how we have implemented a continuous security patch delivery strategy. The strategy embraces a systematic way of product-specific vulnerability evaluations based on design knowledge and operator-oriented risk communication which are the novel aspects of this work. Focusing on the 'real' cybersecurity risks in the early phase of the continuous delivery process leads to reduced cost for post-market management of medical devices. The paper also describes how this dynamic, continuous and highly automated approach is intended to satisfy the current and future demands of the National Telecommunications and Information Administration (NTIA) the existing FDA post-market guidance and the upcoming revision of the FDA pre-market guidance on cybersecurity to provide operators with a "software hill of material" (SBOM).