Secure by Design: Developing Cybersecure Medical Devices
Medical devices are becoming increasingly connected to other devices, the Internet, or hospital networks to serve functions that improve healthcare and enhance treatment options. According to estimates, one in four medical devices is already connected to the Internet or hospital network. In 2017, they totalled an estimated 337 million, with an expected compound annual growth rate (CAGR) of 20.8% through 2030—including digital health apps. Their development is driven by the German Digital Healthcare Act (DVG) and similar initiatives across Europe. 1 Digital health apps are playing increasingly important roles in healthcare with approximately 200 new health apps being added to the app stores every day. 2
However, connectivity also increases the risk of potential cybersecurity threats. Every connected medical device or device that forms part of the Internet of Medical Things (IoMT) is a potential target for cyberattacks that can compromise patient or user safety or leak highly sensitive healthcare data. For example, Amnesty International discovered a critical weakness in the configuration of the EHTERAZ contact tracing app used by Qatar to slow the spread of COVID-19. By exploiting this vulnerability, cybercriminals would have been able to access highly sensitive personal information of more than one million users—including their names, national IDs, health status, and location data. 3 Fortunately, this security gap was quickly patched.
In a recent survey, four out of five medical device manufacturers stated that they had been targeted by at least one cyberattack in 2019. 4 Apart from health risks and high penalties for possible data protection breaches, successful cyberattacks or security vulnerabilities that become public can also damage the reputation of manufacturers. Entities including the German Federal Institute for Drugs and Medical Devices (BfArM), the U.S. National Cybersecurity and Communications Integration Center (NCCIC), and the U.S. Food and Drug Administration (FDA) provide detailed information about known security risks in medical devices and name the product as well as the manufacturer. 5 Once lost, trust is difficult to regain—particularly in highly sensitive areas such as healthcare.
Cybersecurity Risk Management Is Mandatory
The topic is increasingly being taken up by key regulatory bodies around the globe, such as the European Union Agency for Cybersecurity (ENISA) and FDA. The main requirement of all major legislative acts and guidance documents is the implementation of a security risk management process and a "secure by design" approach. In addition, medical device manufacturers are responsible for remaining vigilant to identify all risks and hazards associated with their medical devices—including risks related to cybersecurity. Given this, cybersecurity is more than just a cost factor in medical device development—it is a critical element of a safe, secure, and compliant medical device and a cornerstone of business success.
However, many manufacturers and developers lack experience in developing software products in a highly regulated market environment. To make matters worse, there is no clear guidance on how to ensure security by design in medical devices and adopt current standards. Different sets of regulations and standards with only partially overlapping requirements further increase complexity.
The Scope of Current Standards
Regulation (EU) 2017/745, also known as the Medical Device Regulation (MDR), provides the regulatory framework for all stakeholders in the medical device market. Replacing the previously valid Directives 93/42/EEC and 90/385/EEC, the MDR became applicable on 26 May 2021 in the member states of the European Union as well as Norway, Iceland, and Liechtenstein. The MDR classifies medical devices (including software) according to their intended medical purpose and the associated risk and requires all devices to be registered in a medical device database (Eudamed). Manufacturers of devices in risk classes Is, Im, Ir, and higher are subject to surveillance by Notified Bodies.
Market access in Europe demands compliance with the general safety and performance requirements defined in Annex I. In contrast to the directives amended or repealed by the MDR, the regulation defines several cybersecurity requirements. The use of common standards and specifications ensures that all requirements are met. The newly published technical report IEC TR 60601-4-5:2021 (“Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications”) defines security requirements for medical devices including stand-alone software as a medical device.
For approval in the United States, FDA publishes its own guidelines—e.g., “Postmarket Management of Cybersecurity in Medical Devices,” which provides helpful guidance on the post-market aspects of cybersecurity and is hence a "must read" not only for manufacturers targeting the USA. In addition, FDA publishes voluntary consensus standards for which it will accept a Declaration of Conformity. 6
Keeping an Eye on the Entire Life Cycle
The MDR requires development “according to the state of the art” considering IT security and the definition of security measures to protect against aspects such as unauthorized access (Annex I 17.2 and 17.4) . This also implies the establishment of security risk management. The helpful MDCG 2019-16 guidance document further specifies the implementation of a security risk management process. 8 The new edition of the risk management standard ISO 14971:2019 can be applied to manage risks associated with data and system security. However, according to the authors of the standard, management of the security risks of medical devices does not require a separate process. This is in line with the information in the MDCG guidance.
New vulnerabilities are usually found after the medical device has been placed on the market. Therefore, risk management should cover the entire life cycle, up to and including decommissioning of the medical device. The requirements specifically mentioned in the guidance include post-market surveillance, incident response, and a problem-solving process.
At present, there are no specific standards governing a secure life cycle of medical devices. However, the IEC 81001-5-1:2020 standard (“Health software and health IT systems safety, effectiveness and security – Security – Activities in the product life cycle”) is slated to be published in Q3 2021 and follows the approach set forth in the IEC 62443 series of standards which is widely accepted in the industry.
The development of connected and software-driven medical devices or stand-alone medical software must consider cybersecurity right from the very early stages of design and development. This is necessary, required, and mandatory for market access in Europe, USA, and other key markets. The relevant standards and guidelines already exist or are being developed. Key aspects for ensuring "defence in depth" are cybersecurity risk management processes and secure lifecycle processes. The primary means of security verification and validation is testing, with possible methods including vulnerability scanning, penetration testing, and fuzzing of the system. Objective evidence of the security of a medical device and its effectiveness must be part of the technical file that is submitted to the regulators or Notified Bodies as part of the certification process.
Article source: MDDI Online by Dr. Abtin Rad