National Cancer Institute

Cybersecurity by Design in Medical Devices

National Cancer Institute

Medical devices and medical software are becoming increasingly connected to hospital networks, other medical devices or the Internet. As a result, manufacturers and developers are required to consider cybersecurity from the very early stages of development. This in turn necessitates comprehensive risk management along the entire lifecycle of a device.

Today, as many as around one in four medical devices are connected to the Internet or a hospital network. In 2017, there were around 337 million devices of this kind, with a predicted compound annual growth rate (CAGR) of 20.8% up to 2030.1 Included in this number are digital health applications (DHA), the development of which has been supported by the German Digital Healthcare Act (Digitale-Versorgungs-Gesetz, DVG) and several other European initiatives. This has resulted in nearly 200 new health apps being launched on the market every day.

Ensuring Data Protection

Connected medical devices and health apps can support preventive healthcare, improve medical care in rural areas or offer additional treatment options for health professionals in hospitals. However, increasing connectivity comes at a cost: It makes medical devices more vulnerable to hacker attacks, which can jeopardize the safety of both patients and staff or lead to the disclosure of highly sensitive health data.

Qatar’s EHTERAZ track-and-trace app during the COVID-19 pandemic is one example. Amnesty International discovered a critical vulnerability in this app, which would have enabled cybercriminals to access highly sensitive personal information of more than one million users, including their names, national IDs, health status and location data. This issue was fixed before it could be exploited.2

In addition to device-specific requirements, there are fundamental higher-level cybersecurity and privacy regulations that also need to be considered. The European Union, for example, imposes high standards for data security in its General Data Protection Regulation (GDPR). Apart from severe penalties for data breaches, successful cyberattacks and vulnerabilities that pass into public knowledge may endanger health and damage the reputation of manufacturers. Authorities such as the German Federal Institute for Drugs and Medical Devices (BfArM) and the FDA publish detailed information of known vulnerabilities and security risks in medical devices, giving names of both the products and the manufacturers. Once lost, trust is difficult to regain.

Hence, cybersecurity forms an essential part of medical devices in conformity with the essential requirements and is critical for both market access and sustainable business success. But many manufacturers and developers have little experience in markets as highly regulated as the medtech market. Clear guidelines or standards that help to implement security by design in medical devices are practically non-existent, and cybersecurity requirements differ from one region to the next, even within the European Union. To make matters worse, there are no international standards for medical devices, except for the Technical Report IEC TR 60601-4-5 (Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications).

Classifying Medical Devices

Regulations (EU) 2017/46 on in-vitro diagnostics (IVDR) and (EU) 2017/745, more commonly known as the Medical Device Regulation (MDR), define the requirements that apply to all medical devices in the European Union member states and in Norway, Iceland and Liechtenstein. Applicable since May 26, 2021, the MDR has repealed Directives 93/42/EEC (MDD) and 90/385/EEC. Directive 98/79/EC (IVDD) will be replaced by the IVDR, with the transition period ending on May 26, 2022.

In contrast to the previous directives, both the MDR and IVDR also include requirements that address the cybersecurity of medical devices. Both regulations require development to be in line with the “generally acknowledged state of the art”, considering IT security and protection measures against unauthorised access (Annex I, 17.2 and 17.4).3 The MDR classifies medical devices in product classes I to III depending on their intended medical purpose and risk potential, giving rise to further requirements. In general, it can be said that the higher the product class, the higher the certification efforts involved.

Manufacturers of class I medical devices with measuring function (Im), medical devices that are placed on the market in sterile condition (Is), reusable surgical instruments (Ir) and medical devices in classes IIa, IIb and III are subject to ongoing surveillance by Notified Bodies. According to MDR classification rule 11, software supporting diagnostic or therapeutic decisions is always classified as class IIa. However, where decisions taken based on information provided by the software may result in serious deterioration of a patient’s state of health, the medical device must be classified as class IIb. Where such a decision may even result in irreversible damage or death, the product falls in class III. Compared to the MDD, the MDR classifies only a few medical devices as class I, the category for which the fewest requirements are defined.

To place products on the EU market, manufacturers and distributors need to register their medical devices in Eudamed, the EU database on medical devices, and ensure their device complies with the general safety and performance requirements defined in Annex I. This also covers establishment of cybersecurity risk management that covers the entire lifecycle of the device.

Managing Security Risks

Guidance MDCG 2019-16 “Guidance on cybersecurity for medical devices” specifies the requirements for cybersecurity set forth in Annex I to the MDR and/or IVDR.4 One of the central requirements is to establish and maintain a security risk management system. Such a risk management system can be established in accordance with the international risk management standard ISO 14971:2019, for example. The latest revision of the standard also covers cybersecurity risks, and its authors point out that there is no need for a separate risk-management process addressing the cybersecurity of medical devices. This is also in compliance with the MDCG Guidance.

The FDA has published its own guidelines, such as “Postmarket Management of Cybersecurity in Medical Devices”. This document highlights the cybersecurity aspects of devices already sold on the market. As such, it is significant and of interest not only to manufacturers targeting the U.S. market. The FDA also publishes voluntary consensus standards that manufacturers can apply to their products.5

By applying harmonized standards and common specifications as guidance, manufacturers ensure that their medical devices represent the state of the art and follow all requirements. This includes the newly published technical report IEC TR 60601-4-5:2021, which helps to establish further security requirements for medical devices including (standalone) software as a medical device.

Lifecycle Approach

Essentially, all relevant standards and guidance require comprehensive security risk management and a “secure by design” approach. Cybersecurity is a central aspect at each stage of development, enabling all risks and hazards to be identified. However, in many cases new vulnerabilities are only identified after the medical device has been placed on the market. Risk management must therefore cover the entire lifecycle of a device, from design to disposal. This includes post-market surveillance, a reporting system, a problem-resolution process, and maintenance process. These post-market risk management activities become more important since the lifecycle of medical devices is often significantly longer than that of standard consumer electronics or private user software.

Conclusion

Market access in Europe, the United States and other key markets requires comprehensive security risk management and reliable lifecycle processes. The relevant standards, directives and guidelines are already available or currently under development. Tests, including vulnerability scanning, penetration tests and “fuzzy testing”, play a central role in the verification and validation of security measures. Proof of the cybersecurity of a medical device must be presented to the supervisory authorities or notified bodies as part of the certification process.

References

  1. IHS Markit. “The Internet of Things: a movement, not a market, e-paper“.
  2. Amnesty International. (May 26, 2020). Qatar: Contact tracing app security flaw exposed sensitive personal details of more than one million.
  3. Regulation (EU) 2017/745 on medical devices Annex I.17. Electronic programmable systems — devices that incorporate electronic programmable systems and software that are devices in themselves. Official Journal of the European Union.
  4. European Commission. MDCG 2019-16, Guidance on Cybersecurity for medical devices.
  5. FDA. (December 2016). Postmarket Management of Cybersecurity in Medical Devices. Guidance Document.

Related Articles