Owing to the introduction of MDR and IVDR, the requirements for the safety of medical devices that can be connected to a network have increased. Among the many innovations introduced with the entry into force of the MDR and IVDR, the two regulations reinforce the legislators' focus on ensuring that devices placed on the EU market are suitable for the new technological challenges associated with the risks of cybersecurity. Among other things, they lay down certain new essential safety requirements for all medical devices containing electronic programmable systems and software that are themselves medical devices. Manufacturers will be required to design and manufacture their products in accordance with the state of the art, taking into account the principles of risk management, including information security, and to establish minimum requirements for IT security measures, including protection against unauthorised access.
Manufacturers of medical devices are now supported. The MDCG (Medical Device Coordination Group) has published the "Guidance on Cybersecurity for Medical Devices". This explains in detail how manufacturers can meet all relevant essential requirements of Annex I of the MDR and the IVDR with regard to cyber security.
At EU level, the following legal instruments are relevant to the cybersecurity of medical devices or to operators concerned with the protection or processing of personal data stored in medical devices and could apply in parallel to the rules on medical devices:
- NIS Directive: provides for legal measures to increase the general level of cyber security in the EU;
- GDPR (General Data Protection Regulation): regulates and protects the processing of personal data by a person, company or organisation relating to individuals in the EU.
- EU Cybersecurity Act: the certification of cybersecurity for ICT products, services and processes
The relationship between these regulations and the cyber security requirements listed in Annex I of the MDR is shown in the next figure (source: MDCG 2019-16):
The manufacturer is required to take into account and demonstrate the state of the art in the design, development and improvement of medical devices throughout their life cycle.
Safety, security and effectiveness are critical aspects in the design of security mechanisms for medical devices and in vitro diagnostic devices, which must be taken into account by manufacturers at an early stage of the development and manufacturing process and throughout their life cycle.
"Secure by design"
The key philosophy proposed by MDCG as a basis for the "Defence in depth strategy" is as follows:
(Source MDCG 2019-16)
- "Security management" - ensures that all process steps are followed and managed and that security-related activities are appropriately planned, documented and executed throughout the product lifecycle.
- "Specification of security requirements" identifies the security capabilities required to adequately protect the confidentiality, integrity and availability of data and the like of the medical device together with the specified product security context (e.g. authentication, authorisation, encryption, etc.).
- "Security by design" ensures that the product is secure by design including defence in depth.
- "Secure implementation" ensures that the product features of all (except external) hardware and software components are implemented securely.
- "Security V&V testing" carries out the documentation of the security tests.
- "Security guidelines" provides and maintains the user documentation of the product security context.
In addition to these core process steps, two more are added:
"Management of security-related issues" and "Security update management", ensure that security updates and security patches are tested for regression and made available to product users in a timely manner.
Security Risk Management
A product risk analysis for safety should consider the effects of security vulnerabilities on the essential functioning of the product. The safety risk assessment could list generic security related hazards identified for the product.
The list of known vulnerabilities and attack vectors is the basis for the definition of the security capabilities required to adequately protect the confidentiality, integrity, availability of data, function and services of the medical device together with the specified product security context, depending on the risk management.
Security risk assessment
When choosing security capabilities as protective measures, the manufacturer should take into account the intended clinical use of the device and the intended operational environment when determining the appropriate balance between safety, effectiveness and security. Caution: There are many vulnerabilities, most of which are unknown. An identified vulnerability is considered "foreseeable".
Security Benefit Risk Analysis
A general Benefit Risk Analysis based on the intended use and the potential safety and performance impacts shall be carried out using the safety risk assessment, which shall include the security-related hazard categories.
Minimum IT requirements
The manufacturer must define the minimum requirements for the operating environment in terms of IT network characteristics and IT security measures that the product design could not cover.
The medical device should be as autonomous as possible with regard to IT security.
The manufacturer's assumptions regarding the IT security of the operating environment must be clearly documented in the user manual.
In cases where the medical device relies on the operating environment to perform important IT security controls, this should be stated in the accompanying technical documentation.
IT security requirements for the operating environment:
MDCG proposes the following list of possible IT security requirements for the operating environment
- Compliance with national and EU regulations (e.g. GDPR)
- Ensuring the physical security of the medical device through safety measures
- Adequate security controls
- Ensuring the control and security of network traffic through appropriate measures
- Security measures specifically for the workstations connected to the medical device
- Measures to limit the propagation of an attack on a complex system integrating multiple medical devices and other systems
- Arrangements for patch management
- Elements of the operating environment that interact with other devices (e.g. other equipment) or are necessary for the operation of medical devices (e.g. OS) should ensure interoperability and should not impair the specified performance of the medical device.
Further exemplary IT security requirements are listed in chapter 7 of MDCG 2019-16.
During the support lifetime of the device, the manufacturer should establish a process for collecting information on the security of the device after it has been placed on the market.
This process should take the following into account:
- Security incidents directly related to the medical device software;
- Security vulnerabilities related to the medical device hardware/software and third-party hardware/software used with the medical device;
- changes in the threat landscape, including interoperability aspects.
The manufacturer should evaluate the information thus gathered, assess the associated security and safety risk and take appropriate measures to control the risk associated with such security incidents or vulnerabilities.
The manufacturer must provide the following information to the user of the medical device:
- Summary of the risk assessment of IT security objectives
- Operating system specifications
- Provisions to ensure the integrity/validation of software updates and security patches
- Options for the security configuration
- Product installation
- Guidelines for the initial configuration
- Stepby-step instructions for the deployment of security updates
- Procedures for using the medical device in failsafe mode
- Documented action plan that the user must follow in case of an alert message
- User requirements in terms of training/required skills, including the necessary IT skills
- Minimum requirements for the workstations intended for user operation: Hardware features, operating system versions, peripheral devices, etc.
- Minimum platform requirements for the connected medical device: hardware properties, operating system versions, middleware and drivers, peripheral devices, etc.
- Assumptions on the environment of use
- Risks for device operation outside the intended operating environment
- Recommended IT security controls for the operating environment (e.g. antivirus, firewall)
- Description of the backup and restore features for data and configuration settings
The following specific security information may also be provided through other accompanying documents (e.g. safety operating manual, service manual, etc.):
- List of IT security controls included in the medical device
- Depending on the type of product, provisions to ensure the integrity/validation of software updates and security patches
- Technical properties of hardware components
- Software Bill of Materials
- User roles and respective access privileges/premissions on the device
- Implementation of the logging function, in particular the log storage capacity and the recommendations for bucking up and using the logs
- Launch of a production system including guidelines on security recommendations and requirements for the integration of the medical device into a health information system
- System operation, administration, monitoring and operation support
- Minimum administration workstation requirements for the connected medical device: hardware properties, operating system versions, middleware and drivers, peripheral devices, etc.
- In the case of networkconnected medical devices, the documentation should include a exhausitive matrix of the network data streams (protocol types, origin/destination of the data streams, addressing scheme, etc.)
- If the operating environment is not exclusively local, but includes external hosting providers, the documentation must clearly state what, where and how the data is stored, as well as any security controls to protect the data in the cloud environment (e.g. encryption)
- Specific configuration requirements for the operating environment, such as firewall rules
Information for healthcare providers
The manufacturer must provide the following cybersecurity information to healthcare providers:
- Instructions for use and product specifications related to recommended cyber security controls
- Description of device features that protect critical functionality even if the cybersecurity of the device is compromised
- Description of backup and restore features and procedures to regain configurations
- Specific guidance to users on the requirements for the supporting infrastructure to enable the device to operate as intended
- Description of how the device can be protected by a secure configuration
- List of network ports and other interfaces expected to receive/send data, a description of port functionality and whether they are incoming or outgoing ports
- Sufficiently detailed network diagrams for end users
- Where appropriate, technical instructions to permit secure network (connected) deployment and servicing, and instructions to users on how to respond upon detection of a cybersecurity vulnerability or incident
- Risks, if any, associated with the use of the medical device outside of the intended useenvironment
Post-Market Surveillance and Vigilance
The manufacturer is obliged to establish a post-market surveillance (PMS) system and to actively update this PMS. Cybersecurity considerations for medical devices should be part of this PMS system.
Depending on the class of the device, a PMS report or a PSUR report is prepared, summarizing the results and conclusions of the analysis of all data from the market.
An effective and successful post-market cybersecurity surveillance program should include, inter alia, the following aspects:
- Operating the device in the intended environment
- Sharing and dissemination of cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors
- Vulnerability remediation
- Response to an incident
- Enhancing security capabilities
- Update of the original security risk assessment
- Updating the original Security Benefit Risk Analysis
Manufacturers shall carry out investigations into serious incidents related to a cybersecurity incident in order to provide a comprehensive description of the serious incident, including
- a description of the serious incident, including any relevant information that could affect the understanding or evaluation of the serious incident, i.e. information is compromised or information is threatened
- a description of the health effects (if applicable), i.e. clinical signs, symptoms, conditions and overall health effects
Incidents whose causes are related to cybersecurity are subject to trend reporting under the MDR.
In the context of the trend report the manufacturer is obliged to specify the following:
- the methodology for determining any statistically significant increase in frequency or severity;
- how to manage the incidents;
- the observation period.
The use of IMDRF codes to index the cybersecurity medical root causes in relation to non-serious incidents is desirable and can be included in the trend report. IMDRF maintains a list of identified cyber security incidents - "Annex A: IMDRF terminologies for categorized Adverse Event Reporting (AER): terms, terminology structure and codes" and "Annex C Investigation Findings".
Examples of cyber security incidents/serious incidents are listed in chapter 8 of MDCG 2019-16.
Further recommendations and requirements in Germany
The MDR requirements relating to cybersecurity are defined in Annex I:
- Chapter I No.1: Product safety requirements
- Chapter I No.3b: Risk management, including the identification and analysis of known and foreseeable hazards
- Chapter I No.4: Risk control measures
- Chapter II No 14.2 d: Mitigation of risks associated with the possible negative interaction between software and IT environment
- Chapter II No 17.1: Repeatability, reliability and performance of the programmable electronic system
- Chapter II No. 17.2: Software development according to the state of the art
- Chapter II No. 17.4: Definition of minimum requirements regarding hardware, characteristics of IT networks and IT security measures including protection against unauthorized access
- Chapter III No. 23.4: Information in the instructions for use
In 2018, the German Federal Office for Information Security - BSI - published a recommendation for manufacturers on cyber security requirements for network-compatible medical devices.
Security patches to prevent death or serious deterioration of the state of health due to IT security vulnerabilities are corrective measures that must be reported in accordance with the MPSV, but also to the Federal Ministry of Justice and for consumer protection.
The Federal Institute for Drugs and Medical Devices - BfArM has a special website on the cyber safety of medical devices, which lists the relevant corrective measures taken by manufacturers and other important information and recommendations on cybersecurity.
Also consider the requirements resulting from the IEC 60601 standards series "Medical electrical equipment" for network equipment. Details on this standard are available in our blog entry "Active Medical Device Safety & the IEC 60601-1".
Cybersecurity starts during the development process
The regulatory requirements for cybersecurity of medical devices must be ensured throughout the entire product life cycle. For manufacturers, this means that they must implement processes as part of their risk management system:
- Securing patient and user information
- Manipulation protection of software
- Product observation and surveillance on the market
- Continuous adaptation of cybersecurity to the state of the art in IT technology
The development of the security concept therefore begins during the product development process and should be a constant companion during the product life cycle.
If you are not familiar with the procedures of the hacker scene, you are welcome to contact seleon's Regualtory Affairs experts. Together with you, we will close your security gaps.
Please note that all details and listings do not claim to be complete, are not guaranteed and are for information purposes only.