Given the increasing scale of attacks against medical devices, European Union regulators have introduced a new set of market entry requirements for medical devices and in vitro diagnostic medical devices to reduce the risk of patient injury as a result of a cyber incident, as well as protect national health systems.
EU regulators are raising the bar for cybersecurity requirements with European Union Regulation for Medical Devices (MDR) and European Union Regulation for Laboratory Diagnostics (IVDR), which came into effect on May 26, 2021. The regulations aim to “create a robust, transparent, predictable and sustainable regulatory framework… that ensures a high level of safety and health while supporting innovation.”
Organizations have until May 26, 2024, or when digital certificates used by devices expire, to make necessary changes to their quality management systems and technical documentation to comply with the new requirements. Despite the number of assessments, standards, and guidance documents that have been made available, medical device manufacturers, providers, and certification services may not be ready in time.
More than 90% of currently valid AIMDD/MDD certifications will expire by 2024, so a significant number of existing devices will need to be re-certified, as well as new devices entering the market. It is estimated that 85% of the products currently on the market You still need a new certificate under MDR.IVDR. Given that the process takes 13-18 months, companies need to start the process now to meet the 2024 deadline.
Preparation instructions for use
In general, cyber security operations are no different from the overall device performance and safety operations. The goal is to ensure (through verification and verification) and demonstrate (through documentation) the performance of the device, reduce and control risks, and reduce expected risks and unwanted side effects through risk management. Hybrid products or interconnected devices/systems also require the management of risks that result from the interaction between software and the IT environment.
Medical Device Coordination Group MDCG-16 Guidelines for Cyber Security of Medical Devices Explains how to interpret and meet cybersecurity requirements under the MDR and IVDR. Manufacturers are expected to consider the principles of safe development lifecycle, security risk management, and verification and validation. Furthermore, they must provide minimum IT requirements and expectations for cybersecurity operations, such as installation and maintenance in their device’s usage instructions. “Instructions for Use” is a highly structured required section that manufacturers of certification applications must provide.
Cybersecurity measures must reduce any risks associated with the operation of medical devices, including safety risks caused by cybersecurity, to provide a high level of health and safety protection. The International Electrotechnical Commission (IEC) outlines high-level security features, best practices, and safety levels in IEC / TIR 60601-4-5. Another IEC technical report, IEC 80001-2-2enumerates specific architecture and design security capabilities, such as automatic logout, audit controls, data backup and disaster recovery, malware detection/protection, system and operating system hardening.
to meet ISO guidelines (ISO 14971), the Association for the Advancement of Medical Devices advises to strike a balance Between safety and security. Careful analysis is required to prevent security measures from compromising safety and safety measures from becoming a security risk. Security should be of the appropriate size and should neither be too weak nor too restrictive.
Sharing responsibility for cyber security
Cybersecurity is a joint responsibility between the device manufacturer and the deployment organization (usually the customer/operator). Thus, the specific roles that provide critical cybersecurity functions—such as integrator, operator, healthcare, medical professionals, patients, and consumers—require careful training and documentation.
The Help for Use section of the Manufacturer Approval application shall provide cybersecurity processes including security configuration options, product installation, initial configuration instructions (for example, changing the default password), instructions for deploying security updates, and procedures for using a medical device in failsafe condition. Mode (eg, entering/exiting fail-safe mode, fail-safe mode performance limitations, data recovery function when resuming normal operation), and user action plans if an alert message appears.
This section should also provide the user’s requirements for training and list the skills required, including the IT skills required to install, configure, and operate the medical device. In addition, it should specify requirements for the operating environment (devices, network characteristics, security controls, etc.) covering assumptions about the use environment, risks of operating the device outside the intended operating environment, minimum platform requirements for the connected medical device, and safety controls Recommended IT, backup and restore features for both data and configuration settings.
Specific security information may be shared through documents other than instructions for use, such as instructions for administrators or manuals for security operations. This information may include a list of the IT security controls built into the medical device, provisions to ensure the integrity/validation of software updates and security patches, technical characteristics of hardware components, and Software bill of materialsuser roles and access privileges/permissions associated with the device, logging functionality, guidelines on security recommendations, requirements for integrating a medical device into a health information system, a list of network data flows (protocol types, origin/destination data streams, addressing scheme, etc.).
If the operating environment is not exclusively on-premises but includes external hosting providers, the documentation should clearly state what and where (in light of the laws of residence) and how the data is stored, as well as any security controls to protect the data in the cloud (eg encryption). The instructions for use section of the documentation needs to provide specific configuration requirements for the operating environment, such as firewall rules (ports, interfaces, protocols, addressing schemes, etc.).
The security controls implemented during pre-marketing activities may be insufficient to maintain an acceptable level of risk and benefit during the operating life of the equipment. Therefore, the regulations require the manufacturer to establish a post-market cyber security monitoring program to monitor the operation of the device in the intended environment; To share and disseminate cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors; to carry out vulnerability treatment; Incident response planning.
The manufacturer is also responsible for investigating and reporting critical accidents and taking corrective action for safety in the field. Specifically, incidents with root causes related to cybersecurity are subject to reporting trends, including any statistically significant increase in incident frequency or severity.
Planning for all scenarios
Today’s medical devices are highly integrated and operate in a complex network of devices and systems, many of which may not be under the control of the device operator. Therefore, manufacturers must document the intended use of the device and the intended operating environment, as well as plan for misuse that can reasonably be expected, such as a cyber attack.
The requirements for managing pre- and post-market cybersecurity risks and supporting activities are not necessarily different from traditional safety programs. However, they add an extra level of complexity as:
- The set of risks to consider is more complex (safety, privacy, operations, business).
- It requires a specific set of activities that must be performed over the device development lifecycle via the Secure Product Development Framework (SPDF).
Global regulators, including MDR/IVDR, are beginning to mandate a higher level of security for medical devices and especially require demonstrable security as part of the larger device lifecycle. Devices, depending on the type of device and use case, must meet a safety baseline, and manufacturers must maintain this baseline over the entire life of the device.