With the introduction of the MDR and IVDR, the requirements for the safety of medical devices that can be connected to a network have increased. Among the many innovations introduced with the entry into force of the MDR and IVDR, the two regulations reinforce the focus of legislators on ensuring that devices placed on the EU market are suitable for the new technological challenges associated with cybersecurity risks. Among other things, it establishes certain new essential security requirements for all medical devices that contain electronic programmable systems and software that are themselves medical devices. Manufacturers are required to design and manufacture their products in accordance with the state of the art, taking into account risk management principles, including information security, and to establishminimum requirements for IT security measures, including protection against unauthorized access.
Medical device manufacturers are now supported. The MDCG (Medical Device Coordination Group) has published “Guidance on Cybersecurity for Medical Devices.” This explains in detail how manufacturers can meet all the relevant essential requirements of Annex I of the MDR and IVDR in relation to cybersecurity.
At the EU level, the following pieces of legislation are relevant to the cybersecurity of medical devices or to operators involved in the protection or processing of personal data stored in medical devices and could apply in parallel to the medical device regulations:
NIS Directive: provides for legal measures to increase the overall level of cybersecurity in the EU;
GDPR (General Data Protection Regulation): regulates and protects the processing of personal data by an individual, company or organization that relates to individuals in the EU.
EU Cybersecurity Act: the certification of cybersecurity for ICT products, services and processes.
The relationship of these regulations and the cybersecurity requirements listed in Annex I of the MDR is shown in the next figure (Source: MDCG 2019-16):
The manufacturer is required to consider and demonstrate the state of the art in the design, development, and improvement of medical devices throughout their life cycle.
Safety, security, and efficacy are critical aspects of medical device and in vitro diagnostic safety mechanism design that manufacturers must consider early in the design and manufacturing process and throughout the life cycle.
“Secure by design.”
The key philosophy of the staged security concept strategy (“defense in depth strategy”) proposed by the MDCG as a basis is as follows:
(Source MDCG 2019-16)
“Security management” – ensures that all process steps are followed and managed, and that security-related activities are adequately planned, documented, and executed throughout the product lifecycle.
“Specification of security requirements” identifies the security capabilities required to adequately protect the confidentiality, integrity, and availability of data and the like of the medical device along with the specified product security context (e.g., authentication, authorization, encryption, etc.).
“Security by design” ensures that the product has security built into the design.
“Secure implementation” ensures that the product features of all (except external) hardware and software components are implemented securely.
“Security V&V testing” performs security testing documentation.
“Security guidelines” creates and maintains the user documentation of the product security concept.
In addition to these core process steps, two more are added:
“Management of security-related issues” and “Security update management”, ensure that security updates and security patches are tested for regressions and provided to product users in a timely manner.
Security risk management
A security risk analysis of the product should consider the impact of security vulnerabilities on the essential function of the product. The security risk analysis could list generic security-related hazards identified for the product.
Security Features
The list of known vulnerabilities and attack vectors is the basis for determining the security features required to adequately protect the confidentiality, integrity, availability of data, function, and services of the medical device along with the specified product security context, depending on risk management.
Security risk assessment.
When selecting security features as safeguards, the manufacturer should consider the intended clinical use of the device and the intended operating environment in determining the appropriate balance between security, effectiveness, and protection. Caution: there are many vulnerabilities, most of which are unknown. An identified vulnerability is considered “foreseeable”.
Analysis of security benefit and risk.
An overall benefit-risk analysis is performed based on intended use and potential security and performance impacts using the Security Risk Assessment, which includes security-related threat categories.
Minimum IT Requirements
The manufacturer must specify the minimum requirements for the operating environment in terms of IT network characteristics and IT security measures that could not be implemented through the product design.
The medical device should be as autonomous as possible with respect to IT security.
The manufacturer’s assumptions regarding the IT security of the operating environment must be clearly documented in the instructions for use.
In cases where the medical device relies on the operating environment to perform important IT security controls, this should be stated in the accompanying technical documentation.
IT security requirements for the operating environment:
MDCG suggests the following list of possible IT security requirements for the operating environment:
Compliance with national and EU regulations (e.g., GDPR).
Ensuring the physical security of the medical device through security measures
Ensuring appropriate security controls are in place
Ensure control and security of network traffic through appropriate measures
Security measures specific to workstations connected to the medical device
Measures to limit the spread of an attack to a complex system that integrates multiple medical devices and other systems
Patch management precautions
Elements of the operating environment that interact with other devices (e.g., other equipment) or are required for medical device operation (e.g., OS) should ensure interoperability and must not compromise the specified performance of the medical device.
Additional example IT security requirements are listed in Chapter 7 of MDCG 2019-16.
Life Cycle Aspects
During the life of the device, the manufacturer should implement a process to collect post-market information about the security of the device.
This process should address the following:
Security incidents directly related to the medical device software;
Security vulnerabilities related to the medical device hardware/software and third-party hardware/software used with the medical device;
Changes in the threat landscape, including interoperability aspects.
The manufacturer should evaluate the information so collected, assess the associated security risk, and take appropriate actions to control the risk associated with such security incidents or vulnerabilities.
Instructions for Use
The manufacturer must provide the following information to the user of the medical device:
IT security risk assessment information.
Specifications of the operating system
Provisions for ensuring the integrity/validation of software updates and security patches
Security configuration options
Product installation
Initial configuration guidelines
Step-by-step instructions for deploying security updates
Procedures for using the medical device in failsafe mode
Documented action plan for the user to follow in the event of a warning message
User requirements in terms of training/required skills, including required IT skills
Minimum requirements for workstations intended for user operation: Hardware characteristics, operating system versions, peripherals, etc.
Minimum requirements for the platform for the permanently connected medical device: hardware characteristics, operating system versions, middleware and drivers, peripherals, etc.
Assumptions about the environment of use
Risks to device operation outside the intended operating environment.
Recommended IT security controls for the operating environment (e.g., anti-virus, firewall).
Description of backup and restore functions for data and configuration settings.
The following specific security information may also be provided via other supporting documents (e.g., Security Operations Manual, Service Manual, etc.):
List of IT security controls included in the medical device.
Depending on the type of product, provisions for ensuring the integrity/validation of software updates and security patches
Technical characteristics of hardware components
Software parts list
User roles and corresponding access privileges/authorizations on the device
Implementation of logging capability, particularly log storage capacity and recommendations for log backup and use
Implementation of a production system, including guidelines on security recommendations and requirements related to integration of the medical device with a health information system
System operation, management, monitoring, and operational support
Minimum requirements for the management workstation for the tethered medical device: hardware characteristics, operating system versions, middleware and drivers, peripherals, etc.
In the case of network-connected medical devices, documentation should include a comprehensive matrix of network data streams (protocol types, origin/destination of data streams, addressing scheme, etc.).
If the operating environment is not exclusively local, but includes external hosting providers, the documentation must clearly state what, where, and how the data is stored, as well as any security controls to protect the data in the cloud environment (e.g., encryption)
Specific configuration requirements for the operating environment, such as firewall rules
Information for healthcare providers
The manufacturer must provide the following information to healthcare service providers regarding cybersecurity:
Instructions for use for devices and product specifications related to recommended cybersecurity controls.
Description of device features that protect critical functions, including when device cybersecurity is compromised
Description of backup and recovery functions and procedures for restoring configurations
Specific guidance to users regarding supporting infrastructure requirements to enable the device to function as intended
Description of how the device can be protected through secure configuration
List of network ports and other interfaces expected to receive/transmit data, and a description of port functionality and whether they are inbound or outbound ports
Sufficiently detailed network diagrams for end users.
Where applicable, technical instructions to enable secure (connected) deployment and maintenance of the network, as well as instructions for users on how to respond to the detection of a cybersecurity vulnerability or incident
If applicable, risks associated with using the medical device outside of its intended application environment
Post-Market Surveillance and Vigilance.
The manufacturer is required to establish a post-market surveillance (PMS) system and actively keep these PMSs up to date. Medical device cybersecurity considerations should be part of this PMS system.
Depending on the class of device, a PMS report or PSUR report will be generated that summarizes the results and conclusions of the analysis of all data from the market.
An effective and successful post-market cybersecurity monitoring program should include, but not be limited to, the following:
Operation of the device in its intended environment
Sharing and disseminating information and knowledge about cybersecurity vulnerabilities and threats across sectors
Vulnerability remediation
Incident response
Improving security capabilities
Updating the original security risk assessment
Updating the original security benefit risk assessment
Vendors shall conduct serious incident investigations related to a cybersecurity incident to obtain a comprehensive description of the serious incident, including
A description of the serious incident, including any relevant information that could affect the understanding or assessment of the serious incident, i.e., information is compromised or information is threatened;
A description of the health impact (if applicable), i.e., clinical signs, symptoms, conditions, and overall health impact.
Incidents whose root causes are related to cybersecurity are subject to trend reporting under the MDR.
As part of the trend report, the manufacturer is required to specify the following:
The methodology for determining any statistically significant increase in frequency or severity;
How the incidents will be managed;
The observation period.
The use of IMDRF codes to index cybersecurity medical root causes associated with non-severe incidents is desirable and may be included in the trend report. IMDRF maintains a list of identified cybersecurity incidents – “Annex A: IMDRF terminologies for categorized Adverse Event Reporting (AER): terms, terminology structure and codes” and “Annex C Investigation Findings.”
Examples of cybersecurity incidents/serious incidents are provided in Chapter 8 of MDCG 2019-16.
Other recommendations and requirements in Germany
MDR requirements pertaining to cybersecurity are defined in Appendix I:
Chapter I No.1: Product Security Requirements.
Chapter I No.3b: Risk management, including identification and analysis of known and foreseeable hazards
Chapter I No.4: Risk control measures
Chapter II No. 14.2 d: Mitigation of risks related to the possible negative interaction between software and IT environment
Chapter II No. 17.1: Repeatability, reliability and performance of the Programmable Electronic System
Chapter II No. 17.2: Software development according to the state of the art
Chapter II No. 17.4: Definition of minimum requirements regarding hardware, characteristics of IT networks and IT security measures including protection against unauthorized access
Chapter III No. 23.4: Information in the instructions for use
In 2018, the German Federal Office for Information Security – BSI – published a recommendation to manufacturers on cyber security requirements for network-enabled medical devices.
Security patches to prevent death or serious deterioration of health due to IT security vulnerabilities are reportable corrective actions under the MPSV but also to the Federal Ministry of Justice and Consumer Protection.
At the Federal Institute for Drugs and Medical Devices – BfArM, there is a special webpage on cybersecurity of medical devices, which lists relevant corrective actions by manufacturers and other important information and recommendations on cybersecurity.
Also consider the requirements arising from the IEC 60601 series of standards “Medical electrical equipment” for network-connected devices, details on this standard can also be found in our blog post “Security of active medical devices & the IEC 60601”
Cybersecurity starts with the development process
Regulatory requirements for cybersecurity of medical devices must be ensured throughout the product lifecycle. For manufacturers, this means implementing processes as part of their risk management system:
Safeguarding patient and user information
Tamper protection of software
Product monitoring and tracking on the market
Continuous adaptation of cybersecurity to the state of the art in IT technology
The development of the security concept therefore already starts in the development process of the product and should be a constant companion during the product life cycle.
If you are not familiar with the procedures of the hacker scene, you are welcome to contact seleon’s regualtory affairs experts with confidence. Together with you we will close your security gaps.
Please note that all information and listings do not claim to be complete, are without guarantee and serve purely as information.
