The Medical Device Coordination Group (MDCG), an advisory body composed of the representatives of EU member states, issued guidance dedicated to cybersecurity issues.
Scope of the Guidance
According to the medical device regulations 745/2017 (MDR) and 746/2017 (IVDR), the legal framework should also cover potential issues related to innovative technologies and cybersecurity. For this purpose, the regulations set forth special safety requirements for medical devices including programmable medical devices and software as medical devices. These regulations require manufacturers to establish necessary risk management procedures and security measures to prevent the possibility of unauthorized access. The guidance is intended to assist medical device manufacturers and other parties involved to comply with requirements regarding cybersecurity. Medical device regulations include requirements related to both pre-market and post-market stages. General safety and performance requirements concerning cybersecurity cover the following topics:
– IT, operation and information security,
– Safety, security and effectiveness requirements requiring the manufacturer to reduce risk associated with the use of the device including intended and reasonably foreseeable risk,
– Secure design and manufacturing process (including risk management on all stages of the lifecycle, protection against unauthorized access, identification of hazards and potential threats, and risk control measures),
– Acceptable residual risk as a risk that could not be eliminated,
– Information provided to users, including documentation, instructions, and labeling.
The aforementioned requirements are also applicable to in vitro diagnostic medical devices. At the same time, the guidance also states that medical device regulations cover cybersecurity only partially while certain requirements provided in other regulations cover the rest. For example, certain aspects are regulated by the Cybersecurity Act and GDPR. According to the regulation, all processes including design, development and modification of medical devices should be based on the state of the art while reducing the risk associated with the use of the device.
Core Principles of Cybersecurity
The guidance defines risk as a combination of the probability of occurrence of harm and the severity of that harm. This definition includes all types of risk. It is also stated that risk should be reduced to the lowest extent possible to ensure the protection of a patient’s health.
The document also contains a detailed description of the particular cybersecurity requirements.
- IT, information and operation security. Both MDR and IVDR set forth the requirements regarding hardware, IT networks and security measures applicable to the software intended for medical purposes.
- IT security: a set of measures aimed at protection against unauthorized access and intervention in operations of computer systems, includes measures ensuring the confidentiality and accuracy of information.
- Operation security: the measures aimed at the exclusion of the possibility of any possibility of unauthorized third-party intervention in operations of networks and processes.
- Information security: protection against threats and hazards of any changes made to the information.
- Safety, security, and effectiveness. According to the regulations, all medical devices available on the market should be safe and efficient while all risks associated with the use of the device should be acceptable. This provision is based on the benefit-risk balance principle stating that the benefit resulting in the use of the device should exceed the risk associated with it. It is also required to find the optimal balance between weak security (e.g. weak access control creating vulnerabilities allowing unauthorized third-party access to the device) and restrictive security – a situation when the level of protection is too high and created difficulties during the normal use of the device. To deal with this issue, all security aspects should be included in risk assessment.
- Intended use of the device. Particular security measures implemented in the device should be developed by the manufacturer depending on the intended use of the device, the conditions under which the device should be used, and communication technology utilized in the device. According to the general rule, the security system should consist of several layers. One of the layers is a concept of a normal operating environment– conditions in which the device should be used. The manufacturer should provide a description of the operating environment in documentation supplied with the device.
- Reasonably foreseeable misuse. The guidance states that almost all devices and solutions utilized have vulnerabilities due to their complicated construction. Thus, all vulnerabilities should be deemed as those to be discovered, so the manufacturer shall reduce the risk associated with the possible utilization of such vulnerabilities by the third party. In other words, the manufacturer must analyze all the ways the vulnerabilities could be used and implement measures necessary to minimize risk from these vulnerabilities.
- Operating environment, in which the device would be used, depends on the particular healthcare facility acting as an operator and on particular security measures implemented in this facility. According to the regulation, healthcare facilities should provide physical and general access control preventing unauthorized third parties from accessing the networks and devices, malware protection, timely updates, and proper security training. The document also emphasizes the necessity to implement change tracking requiring the identification of the particular person making changes to the system.
- Joint responsibility of all parties involved. Despite the fact that the manufacturer plays the most important role in ensuring safety, other parties involved in operations with medical devices should cooperate and implement measures necessary to maintain the proper security level. All operations with medical devices should be conducted exclusively in accordance with the documentation provided by the manufacturer. For example, the integrator (either the manufacturer itself or an operator) should fulfill any and all requirements necessary to ensure the effectiveness of the security measures taken.
Secure by Design
The guidance provides that all medical device manufacturers should employ the “secure by design” principle that covers all the stages of the device’s life cycle resulting in the establishment of the “defense in depth” strategy. This strategy includes the following elements:
- Security management – all security measures should be developed, planned and documented in a proper way.
- Specification of security requirements – all requirements related to security measures should be described in detail and supplied with the device. The description should cover all the aspects including authentication and access control, physical security and protection against unauthorized access.
- Secure by design – all measures should be aimed at ensuring the highest protection level.
- Secure implementation – requirement applicable to both hardware and software components to ensure that the device is secure when operating as intended.
- Security verification and validation testing – the results of any testing performed to ensure that all security measures necessary are implemented and maintained properly should be duly documented. The appropriate testing should be performed at each step of the lifecycle of a medical device.
- Management of security-related issues – all issues related to security should be processed in a proper way.
- Security update management – according to this principle, it is required to provide updates and patches aimed on the improvement of protection in a timely manner.
- Security guidelines – the manufacturer must provide operators and end-users with all information necessary to use the device in a way that ensures the implementation of all security measures intended by the manufacturer.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.