On guard: Protecting devices against cybersecurity risk

Richard Poate, senior manager at TÜV SÜD, discusses some of the requirements that should be tested in the early design process of connected devices. 

Healthcare’s cyber transformation

Connected medical products with remote access are becoming a growth area, but these systems can become a target for cyberattack. This is because often not all the risks associated with a remote connection, and the usability of them by third parties, are taken into consideration. 

There are therefore multiple regulatory, ethical and business reasons to ensure that all digital healthcare and medical devices are thoroughly tested and secure. This includes compliance with global regulatory requirements, such as the In Vitro Diagnostic Medical Device Regulation (IVDR) and the Medical Device Regulation (MDR) in the EU; as well as the regional requirements of the US FDA, Health Canada, China National Medical Products Administration and the Japan Ministry of Health and Welfare. 

However, there are still no harmonised standards for the cybersecurity of medical devices. While global regulators play catch-up with this situation, there are some cybersecurity standards which are focussed and provide guidance for medical devices:

• MDCG 2019-16 – Guidance on cybersecurity for medical devices, which is one of the most important guidelines for MDR implementation.
• IEC/TR 60601-4-5 – Safety-related technical security specifications for medical devices (currently under development)
• IEC 81001-5-1 - Application of risk management for IT-networks incorporating medical devices (currently under development)
• UL 2900-2-1- The USA Food & Drug Administration’s cybersecurity aid for industry and regulators

Cybersecurity must be based on a well-structured development and testing process. For example, after any major software changes a vulnerability scan or penetration test should be repeated, at least partly. Manufacturers must also consider security-related tests regarding the change, as well as conduct regression tests which show that the change did not have a negative effect on the cybersecurity of the device. 

While there is currently no law that requires testing to be done, most guidance documents indicate that it should be conducted. Therefore, due to global regulations and privacy laws, skipping it is not an option. It is therefore up to manufacturers to prove due diligence – that they have taken appropriate actions to bring safe products onto the market. 

The EU’s MDCG 2019-16 document provides manufacturers with guidance on how to fulfil all the relevant essential requirements of Annex I to the MDR and IVDR regarding cybersecurity. When assessing risks in accordance with Annex I of the MDR, it is important to include security issues in the risk assessment. During the risk management process, the manufacturer should foresee or evaluate the potential exploitation of those security vulnerabilities that may be a result of reasonably foreseeable misuse.

First line of defence

While there are some standards and industry guidance available globally, they are not complete and ratified, neither are they mandatory. However, these do represent a first line of defence, and as a first step designers and manufacturers should think “secure by design” and take a proactive approach to cybersecurity, recognising that attacks are “when not if”. It is also vital to keep up to date with standards and regulations to ensure that they are working to the “state of the art”. Likewise, by following developments of testing frameworks, this will provide a guided, robust and cost-effective solution, alongside participating in appropriate standards workshops (for example CEN-CENELEC events for European Standards).

While digitisation and increasing connectivity bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cybercrime. Security that is tolerant of implant, wearable, mobile-connected, and public-network-using devices is therefore paramount. It is important to remember that there are no ‘bad user behaviours’, only scenarios that the designer or manufacturer has failed to identify. Neither should patients be expected to shoulder any additional burden for security as it is a manufacturer’s responsibility to ensure up to date compliance with all standards and constantly review the ‘cyber resistance’ status of devices.

The Internet of Medical Things (IOMT) has transformed healthcare. However, as medical devices become increasingly connected they also become more vulnerable to cyberattack, exposing the people use them to hazards that did not previously exist. 

Ongoing investment in cybersecurity is therefore crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat hacker attacks. All digital healthcare and medical devices must therefore be thoroughly tested and secure, as well as comply with global and regional regulatory requirements.