Skip to main content
This content applies to Device version: 1.1.0.0

Security requirements and recommendations

What is this section?

This section explains the minimum IT security requirements and recommendations to interact with the device, especially regarding cybersecurity threats.

In order to ensure the safe and secure operation of the device, it is essential to meet certain minimum security requirements. Indeed, these requirements are so essential that they are inherently present in most, if not all operating systems. Furthermore, these requirements are not specific to the device, but common to any system that processes health data.

For that reason, it is most likely that you don't need to take any specific action. Still, we suggest you review this document. Adhering to these specifications will help prevent unauthorized access, data breaches, and other cyber threats, thereby maintaining the integrity and confidentiality of sensitive health information in your system. This covers various aspects of IT security, including but not limited to, secure operating system configurations, network security measures, authentication protocols, and data encryption.

The requirements and recommendations outlined here have been developed by the latest standards and guidelines from the Medical Device Coordination Group (MDCG) and the Medical Device Regulation (MDR).

Requirements and recommendations

OS selection

  • Choose operating systems that are known for strong security features and are supported by the manufacturer. Operating systems should be in active development, with regular security updates and patches available.
  • Prefer operating systems commonly used in secure environments and have a wide support community, such as certain distributions of Linux specifically designed for enhanced security.

Configuration and hardening

  • Configure operating systems according to industry best practices for security. This may involve disabling unnecessary services, closing unused network ports, and removing or disabling default user accounts.
  • Apply security hardening guidelines specific to the operating system. Many industry standards and guides, such as those from the Center for Internet Security (CIS), provide detailed steps for hardening various operating systems.

Patch management

  • Implement a robust patch management policy to ensure all security patches are applied as soon as they are released. Regularly scheduled patching should occur, with provisions for emergency patching in response to critical vulnerabilities.
  • Use tools that automate the patch management process to ensure consistency and reduce the risk of human error.

Least privilege

  • Ensure that all users and processes operate under the principle of least privilege, where they are granted only the access rights they need to perform their tasks. This limits the potential damage of a compromised account or process.
  • Regularly review and adjust permissions to adapt to changes in usage patterns and to close potential security gaps.

Security features

  • Enable and configure built-in security features such as firewalls, access control mechanisms, and use of secure boot systems that verify the integrity of the operating system at startup.
  • Use security-enhanced environments such as SELinux (Security Enhanced Linux), AppArmor, or Windows Defender, which provide additional layers of security and can enforce strict control over system behaviours.

Monitoring and auditing

  • Set up system logging and monitoring to detect and respond to security incidents or policy violations. Ensure that logs are retained according to the organization’s data retention policy and are protected from tampering.
  • Use intrusion detection systems (IDS) or security information and event management (SIEM) systems to analyze logs and alert administrators of suspicious activities.

User account management

  • Enforce strong password policies and consider using password management tools to help users maintain secure passwords.
  • Implement account expiration, lockout policies, and regular review of account usage to ensure that credentials are not abused.

Conclusion

As you can see, these recommendations are not specific to the device, but applicable to any computer, especially if it is already in use to interact with health records. It may seem like providing you with these guidelines may be overstepping in our role as a supplier of a medical device because they all apply to how you should configure your own system. We aim to help you ensure that your IT infrastructure is adequately prepared to support the safe and effective use of the device to enhance security and also facilitate optimal performance and reliability.