Cybersecurity is a foundational element that should be embedded from the very beginning in software product design. This is especially true when the solution will work in sensitive environments like hospital networks, where patient safety and data privacy go before all else. In this article experienced Innokas expert Heikki Miinalainen illuminates how to stay ahead of cyber risks when designing software for a sensitive environment.

‍

Experience behind the cyber excellence

Heikki Miinalainen, Senior Software Engineer at Innokas, emphasizes the importance of bringing security needs to the forefront of software development from the very beginning.  “The more cybersecurity is considered in the architecture from the beginning, the less rework will be needed later.”  

Heikki leads the cyber excellence team at Innokas and specializes in software project work and debugging. With a background in competitive programming and ethical hacking, he has been coaching Finland’s national cybersecurity team for the European Cybersecurity Challenge 2025 in Warsaw. He is committed to promoting legal hacking and cybersecurity awareness among youth through partnerships with educational and non-profit organizations.

‍

Designing security into the architecture

Secure architecture design begins at the concept phase. When systems are expected to handle personal or patient data, identifying and mitigating risks early can prevent costly changes down the line. This proactive approach ensures that cybersecurity is a core design principle instead of an afterthought.  (ISO)/IEC 81001-5-1 guides this process by emphasizing secure design principles for health software. This is the main standard followed as well as the guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.

‍

Risk assessment as a constant

A risk assessment matrix is a key tool in managing cybersecurity throughout development. Heikki notes that risk analysis must evolve with the project. “If a new feature is added later that processes personal data, the risk profile may change significantly.” Treating the matrix as a living document helps teams stay ahead of emerging threats. Exercising continuous risk management process throughout the software lifecycle ensures safe and secure product use, especially when the product nears its end of life in an ever-changing industry.

‍

The value of external penetration testing

Penetration testing during the verification phase provides an external perspective that internal teams may miss. Independent testing can uncover vulnerabilities that might otherwise go unnoticed, especially in complex environments like hospital networks. This step adds an extra layer of assurance before deployment. Innokas also offers this service as an independent third party.

‍

Staying current with CVE Scanning

Cyber threats evolve constantly, so protective measures must stay current. Automated vulnerability monitoring, such as CVE scanning, helps track publicly disclosed vulnerabilities in real time and alerts the team and client automatically. “If technology used in the product becomes vulnerable at any point, the system can trigger an update process quickly,” Heikki explains.

‍

Cybersecurity as a lifecycle commitment

Security is a continuous process that spans the entire product lifecycle from initial design to post-market maintenance. Teams that embed cybersecurity into every phase of development are better equipped to build resilient, compliant, and trustworthy medical devices. While mostly similar, cybersecurity requirements for EU and US markets differ significantly. Adhering to relevant standards and their outlined processes ensure cybersecurity is not only a technical requirement but also a regulatory one.

Innokas provides expertise throughout the development lifecycle, from secure architecture design to automated risk management. If your goal is to build a secure device for sensitive environments like hospital networks, we will be glad to chart your needs. Contact us via the link below.