New Medical Device Coordination Group Guidance on Cybersecurity for Medical Devices
15 January 2020
Medical device cybersecurity is a growing concern in light of the increasing rate of IT security incidents and data breaches for many healthcare ecosystems. This is important too for medical device manufacturers. An attacker could cause pacemakers to deliver a deadly shock, a healthcare facility’s IT system could be compromised through access from a medical device or software medical device apps could be hacked and interfere with a patient’s medical treatment. The WannaCry hack which shut down hundreds of thousands of computers worldwide and demanded ransoms in May 2017, also affected the NHS in Great Britain. It cancelled 19,000 appointments, locked medical devices and cost the NHS GBP92 million.
The medical device regulatory framework has recently been overhauled in line with technological and software developments. Accompanying security and performance requirements specific to such medical devices incorporating software have been subject to review. The two new regulations on medical devices 745/2017 (MDR) and on in vitro diagnostic medical devices 746/2017 (IVDR) (together, the Medical Devices Regulations) entered into force on 25 May 2017 but apply fully from 26 May 2020 for the MDR and 26 May 2022 for the IVDR. As part of the overhaul, the Medical Devices Co-Ordination Group has been tasked with producing guidance documents on various issues and aspects of the Medical Devices Regulations.
The much-awaited guidance on cybersecurity for medical devices (Guidance) was published on 6 January 2020. It provides manufacturers with direction on how to fulfil all the relevant general safety and performance requirements of Annex I of the Medical Devices Regulations with regard to cybersecurity. It provides potential cybersecurity issues and topics for manufacturers to consider when ensuring compliance with the Medical Devices Regulations, some of which are discussed below.
Secure design and manufacture
Safety, security and effectiveness are critical aspects to be considered by the manufacturers from an early stage of development and manufacturing and throughout the entire life cycle of a medical device. Addressing cybersecurity risks at the design stage can help mitigate cybersecurity risks at later stages. However security for software may change due to new methods of security attacks and new emerging vulnerabilities. The Guidance provides recommendations of methods that could be put in place to adapt to such instances.
Manufacturers are advised to identify vulnerabilities, which will provide them with the basis for specifying security capabilities, for example, encryption. However, the device’s intended use and intended operational environment should also be considered to ensure other factors such as functionality of the product are not adversely affected.
The impact of security on effectiveness and safety of the product should be considered as well. For example, ‘blanking’ a screen might be an appropriate security control to mitigate the disclosure of personal data, but when the medical device is used for interventional use or the display of real-time vital signs, then ‘blanking’ the screen is a safety concern and therefore should not be implemented. The general safety and performance requirements of Annex I of the Medical Devices Regulations explicitly references the environment hosting the medical devices and the Guidance identifies that manufacturers need to set out the minimum relevant IT security requirements and communicate them effectively to the users.
Post-market surveillance and vigilance
The Guidance highlights a manufacturer’s obligations throughout the life cycle of a product. It advises that during the lifecycle of a device, the manufacturer should put in place a process to gather post-market information regarding the security of the device and take appropriate measures to control the risk of security incidents and ensure the timely implementation of corrective actions. It also states that the manufacturer will involve the distributors of the device and, where applicable, the authorised representative and importers of the device in the post market surveillance system, in order to obtain the relevant information from the market.
Incidents and serious incidents are defined in the Medical Device Regulations and the guidance at Annex II provides a helpful table of examples of the differences between incidents and serious incidents in the context of cybersecurity, with suggested safety/security controls for certain safety/security harms.
Documentation and instructions for use
The Guidance also provides suggestions of what security details could be contained in the instructions for use and it clarifies what security information should be contained in the documentation required under the Medical Directive Regulations. The security information to be provided is also dependent on the device hosting environment eg IT security information that doctors would require when giving advice of the risks and benefits of medical devices to patients. In addition, it recommends maintaining certain documentation required under the Medical Devices Regulations in electronic form so that the documents can be updated to adapt to the frequent changes in the threat landscape.
Other legislation and guidance
Manufacturers of medical devices are reminded of other legislative sources and cybersecurity obligations arising as a result. For example, at EU level, the General Data Protection Regulation (GDPR), EU Cybersecurity Act (Regulation (EU) 2019/881) and NIS directive (Directive (EU) 2016/1148) are relevant to the cybersecurity of medical devices or to operators dealing with protecting or processing of personal data stored in medical devices and might apply in parallel to the Medical Devices Regulations. The NIS directive provides legal measures to boost the overall level of cybersecurity in the EU and the EU Cybersecurity Act introduces for the first time an EU-wide cybersecurity certification framework for ICT products, services and processes.
At worldwide level, the Guidance recommends that manufacturers refer to the Medical Device Cybersecurity Guide under development by a Working Group of the International Medical Device Regulators Forum (IMDRF), which promotes a globally harmonised approach to medical device cybersecurity and provides cybersecurity guidance for stakeholders across the device lifecycle.
Manufacturers will have to review, amend and maintain various documentation, for example instructions for use, and systems, for example post-market surveillance and incident investigations, throughout the lifecycle of a medical device. This is to ensure they sufficiently take cybersecurity into account in light of the Guidance. Stakeholders such as suppliers, integrators, and healthcare providers share responsibilities for ensuring a secured environment for the benefit of patients’ safety. The International Medical Device Regulators Forum is developing a document which specifies the expectations of the various stakeholders in the field of cybersecurity. The Guidance applies to medical devices but it is the joint responsibility of the various stakeholders to ensure they are in compliance with other legislation which runs parallel to the Medical Devices Regulations and to ensure they are prepared for any changes medical device manufacturers might implement in light of this new Guidance.
The content of this article is provided for information purposes only and does not constitute legal or other advice.