Due to the increasing number of attacks against medical devices, EU regulatory authorities are putting forward a new set of market access requirements for medical devices and in vitro diagnostic medical devices to reduce the risk of patient harm as a result of a cyber incident, as well as protect national healthcare systems.
EU regulators are raising the bar for cybersecurity requirements with the EU Medical Device Regulation (MDR) and the EU In Vitro Diagnostic Regulation (IVDR), which entered into force on 26 May 2021. The rules aim to “establish a robust, transparent, predictable and sustainable regulatory frameworks … which ensure a high level of safety and health while supporting innovation.”
Organizations have until May 26, 2024, or when the digital certificates used by the devices expire, to make the necessary changes to their quality management systems and technical documentation to comply with the new requirements. Despite the number of assessment processes and standards and guidance documents that have been provided, medical device manufacturers, providers and certification services may not be ready in time.
More than 90% of currently valid AIMDD/MDD certificates will expire in 2024, so a significant number of existing units will need to be recertified, in addition to new units entering the market. It is estimated that 85% of the products currently on the market today still require re-certification under the MDR.IVDR. Given that the process takes 13 to 18 months, companies need to start the process now to meet the 2024 deadline.
Setting the user manual
In general, cybersecurity processes are not that different from general device performance and security processes. The objective is to ensure (through verification and validation) and demonstrate (through documentation) device performance, risk reduction and control and minimization of foreseeable risks and unwanted side effects through risk management. Combination products or interconnected devices/systems also require management of the risks arising from interaction between software and the IT environment.
The Medical Device Coordination Group’s MDCG-16 guidance on cybersecurity for medical devices explains how to interpret and meet cybersecurity requirements under the MDR and IVDR. Manufacturers are expected to take into account the principles of the secure development life cycle, security risk management and verification and validation. Additionally, they should specify minimum IT requirements and expectations for cybersecurity processes, such as installation and maintenance, in their device’s user manual. “Instructions for use” is a highly structured required part of the certification application that manufacturers must submit.
Cybersecurity measures must reduce any risk associated with the operation of medical devices, including cyber security-induced security risks, to provide a high level of protection for health and safety. The International Electrotechnical Commission (IEC) specifies high-level safety features, best practices and safety levels in IEC/TIR 60601-4-5. Another IEC technical report, IEC 80001-2-2, lists specific design and architecture security features such as automatic logoff, audit controls, data backup and disaster recovery, malware detection/protection, and system and OS hardening.
To meet ISO guidelines (ISO 14971), the Association for the Advancement of Medical Instrumentation recommends striking a balance between safety and security. Careful analysis is required to prevent safeguards from compromising security and safeguards from becoming a security risk. The security must be the right size and should be neither too weak nor too restrictive.
Shared responsibility for cyber security
Cybersecurity is a responsibility shared between the device manufacturer and the implementing organization (typically the customer/operator). Thus, specific roles that provide important cybersecurity functions—such as integrator, operator, health and medical professionals, as well as patients and consumers—require careful training and documentation.
The “instructions for use” section of a manufacturer’s certification application must contain cybersecurity processes, including security configuration options, product installation, guidelines for initial configuration (e.g. changing default password), instructions for implementing security updates, procedures for using the medical device in failsafe mode (e.g. (eg enter/exit safe mode, performance limitations in safe mode and data recovery capability when normal operation resumes), and action plans for the user in the event of a warning message.
This section should also provide user training requirements and list necessary skills, including IT skills, required for installation, configuration and operation of the medical device. In addition, it should specify requirements for the operating environment (hardware, network characteristics, security controls, etc.), covering assumptions about the use environment, risks of device operation outside the intended operating environment, minimum platform requirements for the connected medical equipment, recommended IT security controls, and backup and recovery capabilities for both data and configuration settings.
Specific security information may be shared through documentation other than the user manual, such as instructions for administrators or security operating instructions. Such information may include a list of IT security controls included in the medical device, provisions for ensuring integrity/validation of software updates and security patches, technical characteristics of hardware components, the software note, user roles and associated access rights/permissions on the device, logging functionality, security recommendation guidelines, requirements for integrating the medical device into a health information system and a list of network data streams (protocol types, origin/destination of data streams, addressing scheme, etc.).
If the operating environment is not exclusively local, but involves external hosting providers, the documentation must clearly state what, where (taking into account data residency legislation) and how data is stored, as well as any security controls to secure the data in a cloud environment (e.g. . encryption). The user guide section of the documentation should provide specific configuration requirements for the operating environment, such as firewall rules (ports, interfaces, protocols, addressing schemes, etc.).
Safety controls implemented during premarket activities may be insufficient to maintain an acceptable benefit-risk level over the lifetime of the device. Therefore, the regulations require the manufacturer to establish a post-market cybersecurity monitoring program to monitor the operation of the device in the intended environment; to share and disseminate cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors; to perform vulnerability remediation; and to plan incident response.
The manufacturer is also responsible for investigating and reporting serious incidents and taking safety corrective actions. Specifically, incidents that have cybersecurity-related root causes are subject to trend reporting, including any statistically significant increase in the frequency or severity of incidents.
Planning for all scenarios
Today’s medical devices are highly integrated and operate in a complex network of devices and systems, many of which may not be under the control of the device operator. Therefore, manufacturers should carefully document the device’s intended use and intended operating environment, as well as plan for reasonably foreseeable misuse, such as a cyber attack.
Cyber security requirements for pre- and post-market risk management and supporting activities are not necessarily different from traditional security programs. However, they add an extra level of complexity such as:
- The range of risks to consider is more complex (security, privacy, operations, business).
- They require a specific set of activities to be performed along the device development lifecycle via a Secure Product Development Framework (SPDF).
Global regulators, including the MDR/IVDR, are beginning to enforce a higher level of safety for medical devices and specifically require demonstrable safety as part of the larger device lifecycle. Devices must, based on device type and use case, meet a security baseline, and manufacturers must maintain that baseline throughout the life of the device.