Trustworthiness of Medical Devices through Third Party Security Evaluations

published on May 19, 2016

Trustworthiness of medical devices comes with the assurance that the security requirements are clear and the security measures are adequate and correctly implemented. A typical security aspect that is at stake for medical devices is that the approved functional features of the product remain trustworthy during the complete lifecycle of such products, also after software upgrades, remote access to the device, etc. Another critical aspect is the confidentiality of personal, medical data (privacy). These data should be protected well in the medical device and connected devices, such as smart phones.

In sectors such as defence and banking, where security of a product is crucial, users of these products usually rely on the assessment by an independent third party of the security features. For these sectors, this is a well-established routine. For the medical sector, this is different. Manufacturers usually have less experience in designing, manufacturing, distributing and maintaining secure products, while the stakes are exceptionally high. A bad security implementation in a medical device can cost lives.

Setting up an accreditation scheme is a proven solution to provide assurance. The stakeholders, e.g. medical professionals, developers, regulators and security experts together define the security requirements and how to test those. An independent security lab, accredited by the scheme, will review design documentation on potential vulnerabilities and conduct the tests to verify whether these vulnerabilities can be exploited. Based on positive test results, written down in a test report, the device can be accredited. The accreditation scheme provides the users of medical devices assurance that the security measures are correctly implemented and the device meets the security requirements. Furthermore, the accreditation scheme should be practical, cost-effective and transparent.

Brightsight is the number one security evaluation lab in the world, with over 30 years of experience in evaluating security products against a variety of requirements, including:

  • Integrated Circuits
  • Embedded Systems
  • Smart Card Software, including crypto-libraries
  • TEE’s
  • HSM’s
  • (Mobile) Payment terminals
  • IT, networking and telecommunication products

Brightsight is Common Criteria, EMVCo and PCI lab since 2002 and is uniquely positioned with its accreditation by multiple Common Criteria Schemes (Germany, Japan, the Netherlands, Norway and Turkey). Brightsight is also accredited for the security evaluation of cloud-based payment solutions by Visa, MasterCard and AmEx. With a staff of over 100 security evaluators, Brightsight can offer their clients the most efficient security evaluations within predictable time frames.

At MedSec 2016 in San José, Brightsight will present their view on setting up an accreditation scheme, based upon third party security assessment. Please join the discussion on the Security and Privacy for the Internet of Medical Things!

For more information on MedSec 2016:


World’s first PCI PTS version 6.x approved after security evaluation completed by Brightsight

published on 2020.08.13


Brightsight, official GSMA member

published on 2020.07.21


Brightsight congratulates BBPOS on achieving PCI SPoC approval

published on 2020.07.07


Successful evaluation by Brightsight leads to Arm receiving the first high-assurance Common Criteria security certification (EAL6+) for their Cortex-M33 and Cortex-M35P soft IP processors

published on 2020.05.12