For some time now, software within medical devices has been gaining more and more attention, either as “software as a medical device” or as “embedded software”. It is not surprising that the cybersecurity of these devices is now also becoming the focus of notified bodies. Guidelines such as MDCG 2019-16, EN IEC 81001-5-1 or the FDA Guidance “Cybersecurity in Medical Devices” set expectations that can seem overwhelming for many medical device manufacturers. In addition, the NIS-2 directive will come into force on the 18th of October 2024. So how can cybersecurity be integrated into my day-to-day processes? What hurdles and challenges are there? Do I have to reorganise everything or is it easier than expected?
Cybersecurity in the product lifecycle – What should I look out for?
Cybersecurity (or product security) is one of the most interdisciplinary topics in the development of medical devices. From production and development to installation, operation, maintenance and decommissioning, cyber security is a constant companion. While cybersecurity is more often considered intuitively in software development, this is not always the case for topics such as the maintenance of medical devices or decommissioning. Ask yourself the following questions:
- Is software installed during the manufacturing of my product? Who has access to it? Is my production computer isolated or connected to the network?
- Is the compilation of my software strictly regulated or can any employee start a rollout?
- How many open interfaces does my device have for maintenance? How do I protect them, and have I closed all my backdoors from development?
- Are there instructions for my customer on how to dispose of my product properly and delete all important data completely?
Cyber security must not only play a role during software development, but also affects the entire product life cycle. It is therefore advisable not to let this important topic run separately and in parallel, but to integrate it into the existing life cycle process. EN IEC 81001-5-1 in particular facilitates this endeavour by having the same structure as EN 62304 for the software life cycle process. Integration made easy.
A close look at EN 81001-5-1
What exactly is EN IEC 81001-5-1 about? The standard comes from the “Health software and health IT systems safety, effectiveness and security” series and is entitled “Security – Activities in the product life cycle”. It describes activities that must be carried out during the entire product life cycle in order to protect the product itself against attacks. These activities cover the following areas:
- General requirements for the QMS
- Requirements for the software development process
- Requirements for the maintenance process of the product
- Requirements for risk management
- Requirements for configuration management
- Requirements for the problem-solving process.
EN IEC 81001-5-1 therefore provides a clear structure as to which processes are affected by cyber security during the product life cycle and presents medical device manufacturers with a challenge. What happens to legacy products where implementation is severely restricted?
In the case of legacy products, the standard offers a solution in the form of Annex F. This describes the procedure for so-called ” transitional health software” and the minimum activities that need to be carried out. These are essentially risk management and the PMS area. For the other activities, Annex F requires a migration plan in order to achieve conformity with the rest of the standard. If some components of the software are not able to be migrated, a justified continued use can also be made with a corresponding risk-benefit analysis. But be careful: the overall risk of the software must be analysed and evaluated extensively and comprehensively. Justified continued use is therefore difficult and time-consuming.
To summarise, EN IEC 81001-5-1 provides a procedural structure for integrating cyber security into the product life cycle and, with Annex-F, also offers a simple procedure for existing products.
Cybersecurity in Medical Devices – Clear expectations of the FDA
EN IEC 81001-5-1 provides a clear procedural framework in which cyber security must be taken into account during the product life cycle. However, as many standards, it offers few concrete recommendations for action. So what exactly should be done?
To answer this question, it is necessary to take a look at the FDA Guidance “ Cybersecurity in Medical Devices:
Quality System Considerations and Content of Premarket Submissions “. In this guidance, the FDA does not only explain expectations of the documents to be submitted, but also specific requirements regarding their content. Most of these specifications can be transferred to the requirements of EN IEC 81001-5-1, such as the required security architecture. These are not further specified by the standard, but the guidance divides them into four different architectures types with precise requirements.
The main differences between the FDA Guidance and EN IEC 81001-5-1 are significant:
- Specific requirements for the documentation of the software bill of material (SBOM)
- Specific requirements for cyber security risk management, including the threat model
- Specific requirements for the interoperability of medical devices
- Specific requirements as to which control measures should be implemented
The FDA Guidance is therefore an exceptionally good addition to EN IEC 81001-5-1, and not only that: the FDA also recognises EN IEC 81001-5-1 as a standard and has included it in its list of Recognized Consensus Standards.
NIS-2 – The future is now
On 27 December 2022, the European Union’s NIS-2 Directive was published, which aims to standardise cyber resilience within the Union and raise it to a higher level of security. This directive will officially enter into force on 18 October 2024 and must be transposed into national law by then. The corresponding draft bill has been available since 7 May 2024 and the corresponding government bill has been adopted since 24 July 2024.
What does the NIS-2 directive mean for medical device manufacturers and to whom does it apply?
In general, NIS-2 applies to all manufacturers of medical devices and in-vitro diagnostics. In addition, companies must check whether they fall under Section C Division 26, 27 or 28 of NACE Rev. 2 (NACE Rev. 2 – Statistical classification of economic activities – Products Manuals and Guidelines – Eurostat (europa.eu)). Furthermore, companies in the field of optical and electronic products, laboratory equipment, measuring instruments, machinery and electrical equipment should check whether they fall under Annex II of the NIS-2 Directive. This describes potentially critical sectors in which cyber security must be ensured. In particular, the new NIS-2 requirement for a cyber-secure supply chain places new demands on medical technology companies. In addition to the previous quality inspection of suppliers, it is now also necessary to check whether the supply chain has weaknesses and hazards with regard to cyber security.
Risk management requirements – What do I have to do?
The NIS-2 sets out clear requirements for risk management with regard to cyber security. In the current draft law, these requirements are reflected in Chapter 2 §30-42. These include, among other things:
- Risk management measures for essential entities and important entities (§ 30)
- Reporting obligations (32 §)
- Obligation to register (§ 33)
- Duty to inform (§ 35)
- Implementation, monitoring and training obligation for management boards of essential entities and important entities (Section 38)
- National liaison office and central reporting and contact point for essential and important entities (Section 40)
Another innovation is the active involvement of the management in the required implementations. Section 38 requires the management to do the following:
- Implementing and monitoring the risk management measures described in section 30
- Regular participation in training courses in order to be able to assess risk management
In summary, it can be said that the NIS-2 directive, which comes into force on 18 October 2024, presents medical technology companies and suppliers with a challenge that should be addressed at an early stage in order to ensure the quality and safety of medical devices.
Please note that all details and listings are not intended to be exhaustive, are without guarantee and are for information purposes only.