Cybersecurity in Medical Devices

As software is becoming more and more integral to Medical Devices, new opportunities arise from their networking and data exchange. But this is also exposing them to the same risks as common objects such as laptops and smartphones, i.e. unauthorized access to the device.

Although the FDA “is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor [is] aware that any specific devices or systems in clinical use have been purposely targeted” (see. https://www.fda.gov/medical-devices/digital-health/cybersecurity), the Agency is revamping some of the main guidance documents related to device security.

• Content of Premarket Submissions for Management of Cybersecurity in Medical Devices will be soon updated, and the new draft has been circulating for a while.
• Postmarket Management of Cybersecurity in Medical Devices was released in 2016 and is still up to date.
• Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software is dated 2005, but although a new revision is not on the horizon, the FDA has revamped the Off-The-Shelf Software Use in Medical Devices, re-released in September 2019. Although it is not directly related to cybersecurity, it lists a number of new activities that may have a significant impact on the way manufacturers manage OTS.

The general requirements for the cybersecurity in medical devices are divided into two areas:

1. Process
   • Risk Management process to include security aspects
   • Post Market Surveillance
   • Management of suppliers of OTS software
2. Product
   • Cybersecurity risk management
   • Implementation of recommended controls
   • Cybersecurity-specific verification activities

Stay tuned, more regulations will be coming out in the near future.

Other relevant regulations and standards:

• TIR57 – Principles for medical device security—Risk management
• ISO 30111 Information technology — Security techniques — Vulnerability handling processes
• UL 2900-1 – Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements
• UL 2900-2-1 – Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems
• ISO 27000 series – Information Security Management
• NIST SP 800 series

The SoftComply Risk Manager and SoftComply Risk Manager Plus can provide valuable support in the integration of cybersecurity in your risk management process.