Cybersecurity in Medical Devices

As software is becoming more and more integral to Medical Devices, new opportunities arise from their networking and data exchange. But this is also exposing them to the same risks as common objects such as laptops and smartphones, i.e. unauthorized access to the device.

Although the FDA “is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor [is] aware that any specific devices or systems in clinical use have been purposely targeted” (see. https://www.fda.gov/medical-devices/digital-health/cybersecurity), the Agency is revamping some of the main guidance documents related to device security.

The general requirements for the cybersecurity in medical devices are divided into two areas:

  1. Process
    • Risk Management process to include security aspects
    • Post Market Surveillance
    • Management of suppliers of OTS software
  2. Product
    • Cybersecurity risk management
    • Implementation of recommended controls
    • Cybersecurity-specific verification activities

Stay tuned, more regulations will be coming out in the near future.

Other relevant regulations and standards:

  • TIR57 – Principles for medical device security—Risk management
  • ISO 30111 Information technology — Security techniques — Vulnerability handling processes
  • UL 2900-1 – Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements
  • UL 2900-2-1 – Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems
  • ISO 27000 series – Information Security Management
  • NIST SP 800 series

The SoftComply Risk Manager and SoftComply Risk Manager Plus can provide valuable support in the integration of cybersecurity in your risk management process.

Back