• NEMECYS Project

Strengthening Cyber Risk Management for the Internet of Medical Things: Key Takeaways from the NEMECYS Workshop

On April 29, 2025, the NEMECYS Horizon Europe Project hosted the public event “Towards Addressing Challenges in Cyber Risk Management: Case Studies on the Internet of Medical Things,” in Oslo, Norway, in collaboration with the MedSecurance Project and the EnTrust Project.

This public workshop brought together experts in cyber risk management, cybersecurity, and healthcare to explore key challenges and discuss practical solutions. The event featured interactive discussions, live demonstrations, and networking with key stakeholders, reflecting the growing importance of cybersecurity in connected medical devices.

Expert Presentations

The workshop featured insightful presentations from key experts:

  • Gencer Erdogan (SINTEF Digital) – Presented the societal value and importance of cyber risk management in the Internet of Medical Things.
  • Steve Taylor (University of Southampton) – Addressed the risks and consequences of insecure connected medical devices and the importance of proportionate cybersecurity.
  • Adam Ntanis (PD Neurotechnology Ltd.) – Presented cybersecurity risks in wearable medical devices and risk modelling using the tools CORAS and Spyderisk System Modeller (SSM).
  • Samuel Senior (University of Southampton) – Demonstrated Spyderisk System Modeller (SSM) for risk assessments and risk simulation in the NEMECYS project.
  • Simeon Andersen Tverdal (SINTEF Digital) – Demonstrated the CORAS tool for modelling, evaluating, and monitoring cyber risks using risk indicators in the NEMECYS project.
  • Miroslaw Malinowski (University of Warwick) – Presented MEDSECURANCE’s methodology for secure and safe IoMT development.
  • Adela N. Videsjorden (SINTEF Digital) – Presented AI-based misbehavior detection using digital twins in ENTRUST.
  • Dr Nic Fair (University of Southampton) – Moderated the interactive sessions, guiding the discussions, posing key questions, and capturing feedback from participants.
02. IMG_1106
03. IMG_1110
04. IMG_1116
05. IMG_1124
06. IMG_1128
07. IMG_1136
08. IMG_1140

Key Takeaways from Workshop Discussions

Session 1: Risk Management Practices & Challenges

The session highlighted that risk assessments are largely manual, using Excel and techniques like STRIDE. While these approaches provide valuable insights, they are labour-intensive and time-consuming.

Challenges identified:

  • Automation is desirable but concerns remain around quality assurance.
  • A critical need exists for explainable and validated AI-based solutions to support automation.
  • Regulatory frameworks such as MDR, FDA, ISO 14971, ISO 27005, and ISO 13485 are perceived as complex and sometimes ambiguous, leading to frustration.

Purposes of risk management:

  • Regulatory compliance.
  • Supporting sales and market access through meeting certification requirements.
  • Protection against cyberattacks and reputational damage.

Expectations for risk assessment tools:

  • Explainability and transparent results.
  • Support for uncertainty quantification, tailored to the context of use.
  • Interest in automating knowledge bases to reflect new attack types, though feasibility is debated.

Session 2: Balancing Cybersecurity with Competing Priorities

This session focused on the tensions and frictions when balancing cybersecurity with other priorities:

Main tensions identified:

  • Speed vs. Security – Fast development cycles often challenge robust security practices.
  • GDPR vs. Usability – A recurring question emerged: How do we “hide the patient without hiding it from everyone?”
  • MDR vs. Innovation – Regulatory requirements can hinder innovation, with modular system design suggested as a solution.
  • Organisational vs. Device-Specific Controls – Centralised controls are often too broad for device-specific application.

Regulatory challenges:

  • The regulatory landscape is seen as confused and fragmented, creating uncertainty over which standards apply and when.
  • Many participants raised concerns about unclear guidance on what standards apply and how to comply effectively.

Output and communication needs:

  • Risk assessment outputs need to serve multiple stakeholders, with support for various formats: JSON, PDF, Excel, CSV, Python scripts, and more.
  • There is a need to reflect patient safety and product-specific risks in a structured manner.

Collaborating for Safer Healthcare Systems

The workshop highlighted the importance of stakeholder engagement to shape effective and secure IoMT solutions. Real-world feedback from experts and industry players is crucial in refining the tools and methodologies developed within NEMECYS, MedSecurance, and EnTrust, ensuring they meet practical needs and support regulatory demands.

We extend our thanks to all speakers and participants for their valuable contributions and insightful discussions. Together, we are paving the way for stronger, safer connected healthcare solutions.