The essentials for cybersecurity of medical devices

Joe Lomako, business development manager (IoT) at TÜV SÜD, outlines key regulatory considerations regarding cybersecurity.

Few innovations in recent memory have done more to transform healthcare than the use of connected technologies. However, they also introduce several potentially significant cybersecurity risks.

Like other data sets, health-related data includes confidential information that could be misused when accessed by those with malicious intent. Names and addresses of patients, medical conditions and diseases, prescribed drugs, and therapies, as well as details about insurance coverage, are just some examples ofsensitive data collected by connected medical devices that could be vulnerable to cybersecurity threats and breaches.

Unfortunately, instances of cyberattacks against connected medical devices are becoming all too common. With the anticipated growth in the deployment and use of connected medical devices, the number of cyberattacks is only likely to increase.

Regulations and guidance

Amidst this growing threat landscape, regulators in major jurisdictions are increasingly aware of the need to provide the industry with clearer and more direct regulations and guidance on developing connected medical devices that can help secure them from the most likely cyber threats.

Evidence of the growing concern among regulators is perhaps best exemplified by the evolution of the European Union’s (EU) regulations that are applicable to medical device cybersecurity considerations:

• 1993 – The Medical Device Directive (93/42/EEC) includes a single sentence that indirectly refers to cybersecurity-related concerns.
• 2017 – The Medical Device Regulation (MDR) includes six paragraphs in Annex I that directly address cybersecurity considerations.
• 2019 – The Medical Device Coordination Group (MDCG) issues its “Guidance on Cybersecurity for Medical Devices”. This provides detailed descriptions of basic cybersecurity concepts, secure design and manufacturing practices, documentation, and instructions for use, as well as post-market surveillance and vigilance.
• 2021 – Implementation of the European Medical Devices Regulation. New devices must now meet the requirements of the MDR before they can be placed on the European market.

In the U.S., the Food & Drug Administration (FDA) has published several pieces of guidance applicable to cybersecurity issues in medical devices. Issued in 2014, the FDA’s guidance, “Content of Premarket Submissions for Management of Cybersecurity of Medical Devices”, outlines considerations that manufacturers should include as part of their device design and development phases, and which should be documented in their submissions under both its premarket notification (510(K)) and premarket approval (PMA) programmes. The FDA’s most recent guidance related to cybersecurity, “Postmarket Management of Cybersecurity in Medical Devices”, was issued in late 2016 and provides a framework for medical device cybersecurity risk management, as well as details on remediating and reporting cybersecurity vulnerabilities.

These and other regulations and guidance reflect the growing cyber threat, as well as the evolution of thinking about how manufacturers can minimise them. However, there continues to be considerable divergence within the industry on the best ways to effectively address cybersecurity issues specific to medical devices.

While there are several industry-accepted standards available that are applicable to cybersecurity issues in general, medical device manufacturers have lacked a life cycle standard that directly addresses the issue ofcybersecurity as it impacts connected medical devices. The absence of a dedicated standard has held back efforts to deploy common strategies to protect advanced connected medical technologies from current and future cybersecurity concerns.

Cybersecurity focus

To fill this critical void, the International Electrotechnical Commission (IEC) has developed a new standard focused exclusively on cybersecurity issues impacting software used in connected health technologies. This includes medical devices, and consumer-oriented health products and applications.

Released in December 2021 after more than three years of discussions and deliberations, IEC 81001-5-1 is an important supplement to IEC 62304, “Medical device software – Software lifecycle processes,” which establishes a common framework for the life cycle processes related to medical device software.

Specifically, IEC 81001-5-1 addresses security issues related to all types of “health software,” which is defined in the standard as: “Software intended to be used specifically for managing, maintaining, or improving the health of individual persons, or the delivery of care, or which has been developed for the purposes of being incorporated into a medical device.”

As this definition clearly confirms, the broader scope of “health software” includes not just manufacturers of medical devices but also software developers, whose products and applications are used in a variety of health-related systems and devices, as well as software as a medical device (SaMD) and software-only products intended for health-related uses.

IEC 81001-5-1 also covers the entire product life cycle of health software, from product development through post-market use and monitoring. For this reason, the standard also recognises the critical role of healthcare delivery organisations in maintaining effective cybersecurity practices, emphasising the importance of bilateral communications between device manufacturers and software developers, as well as those responsible for the actual use of connected devices.

Like other process-related standards, IEC 81001-5-1 details the activities to be undertaken by the manufacturer or software developer as part of the overall product development life cycle to help ensure protection against cyberthreats. Specific activities are described in clause four through to nine of the standards, as follows:

• Clause 4 - General requirements 
• Clause 5 - Software development process 
• Clause 6 – Software maintenance process
• Clause 7 – Security risk management process
• Clause 8 – Software configuration process
• Clause 9 – Software problem resolution process

IEC 81001-5-1 also includes several informative Annexes that can help manufacturers and developers meet the requirements of the standard. Annex B provides guidance on the implementation of life cycle activities to help ensure the security of health software. Annex C provides a detailed discussion of the threat modelling, a systematic approach for analysing the security of a device or an application to facilitate the identification and prioritisation of potential security threats. It also offers details on several approaches that can be used to develop an accurate threat model.

The growing cyber threat landscape for connected medical devices requires that device manufacturers and software developers take a proactive approach in designing their products to minimise the risk of potential cybersecurity vulnerabilities. IEC 81001-5-1 provides a detailed roadmap that manufacturers and developers can adopt, thereby helping to ensure the safety and security of their products through the entire lifecycle.