#9 - Medical device cybersecurity

Connected medical devices support the real-time transfer of important diagnostic data to information technology (IT) systems, where artificial intelligence (AI) and machine learning (ML) can be used to quickly identify individual patient health patterns and anomalies. Connected devices allow for the monitoring of device performance, giving healthcare professionals advanced warning of a potential device failure or malfunction.

Connected devices and the data generated provide essential information on the effectiveness of various treatments, making meaningful contributions to ongoing efforts to improve patient outcomes. Such advantages are driving the significant growth of connected medical technology innovations, alongside efforts to expand access to healthcare services to remote areas and support increased demand for home healthcare solutions for patients with chronic health issues. However, the expanding use of connected technologies in the delivery of healthcare services also introduces potentially significant cybersecurity risks.

Like other data sets, health-related data includes confidential information that could be misused when accessed by those with malicious intent. Patients’ names and addresses, medical conditions and diseases, prescribed drugs and therapies, as well as details about insurance coverage, are examples of sensitive data collected by connected medical devices that could be vulnerable to cybersecurity threats and breaches.

Unfortunately, instances of cyberattacks against connected medical devices are becoming all too common. According to a 2020 survey conducted by Swedish software company ir.deto, more than 82% of medical device manufacturers experienced at least one cyberattack on one or more of their products in the previous 12 months. With the anticipated growth in the deployment and use of connected medical devices, cyberattacks are only likely to increase.

Cybersecurity requirements for medical devices

Amidst this growing threat landscape, regulators in major jurisdictions are increasingly aware of the need to provide the industry with clearer and more direct regulations and guidance on developing connected medical devices that can help secure them from the most likely cyber threats.

Evidence of the growing concern among regulators is exemplified by the evolution of European Union (EU) regulations that apply to medical device cybersecurity considerations:

• 1993 – The Medical Device Directive (93/42/EEC) includes a single sentence that indirectly refers to cybersecurity-related concerns.
• 2017 – The Medical Device Regulation (MDR) includes six paragraphs in Annex I that directly address cybersecurity considerations.
• 2019 – The Medical Device Coordination Group (MDCG) issues its “Guidance on Cybersecurity for Medical Devices.” This provides detailed descriptions of basic cybersecurity concepts, secure design and manufacturing practices, documentation and instructions for use, as well as post-market surveillance and vigilance.
• 2021 – End of the transitional period for the European MDR. New devices must now meet the requirements of the MDR before they can be placed on the European market.

The U.S. Food & Drug Administration (FDA) also has published guidance applicable to cybersecurity issues in medical devices. Issued in 2014, the FDA’s “Content of Premarket Submissions for Management of Cybersecurity of Medical Devices” outlines considerations that manufacturers should include as part of their device design and development phases, and which should be documented in their submissions under both its premarket notification (510(K)) and premarket approval (PMA) programs. The FDA’s most recent guidance, “Postmarket Management of Cybersecurity in Medical Devices,” issued in late 2016, provides a framework for medical device cybersecurity risk management and details on remediating and reporting cybersecurity vulnerabilities.

These and other regulations and guidance reflect the growing cyber threat, as well as the evolution of thinking about how manufacturers can minimize them. However, there continues to be considerable divergence within the industry on the best ways to effectively address cybersecurity issues specific to medical devices.

While many industry-accepted standards available are applicable to general cybersecurity issues, medical device manufacturers have lacked a life cycle standard addressing cybersecurity as it impacts connected medical devices. The absence of a dedicated standard has held back efforts to deploy common strategies to protect advanced connected medical technologies from current and future cybersecurity threats.

IEC 81001-5-1 – strengthening cybersecurity

To fill this critical void, the International Electrotechnical Commission (IEC) developed a new standard focused exclusively on cybersecurity issues impacting software in connected health technologies. This includes medical devices, and consumer-oriented health products and applications.

Released in December 2021 after more than three years of discussions and deliberations, IEC 81001-5-1 is an important supplement to IEC 62304, “Medical device software – Software life cycle processes,” which establishes a common framework for the life cycle processes related to medical device software.

Specifically, IEC 81001-5-1 addresses security issues related to health software, defined in the standard as: “Software intended to be used specifically for managing, maintaining, or improving the health of individual persons, or the delivery of care, or which has been developed for the purposes of being incorporated into a medical device.”

The broader scope of health software includes manufacturers of medical devices and software developers, whose products and applications are used in a variety of health-related systems and devices, as well as software as a medical device (SaMD) and software-only products intended for health-related uses.

IEC 81001-5-1 also covers the entire product life cycle of health software, from product development through post-market use and monitoring. The standard also recognizes the critical role of healthcare delivery organizations in maintaining effective cybersecurity practices, emphasizing the importance of bilateral communications between device manufacturers and software developers and those responsible for the use of connected devices.

Like other process-related standards, IEC 81001-5-1 details the activities to be undertaken by the manufacturer or software developer as part of the overall product development life cycle to help ensure protection against cyberthreats. Specific activities are described in clauses four through to nine of the standard:

• Clause 4 - General requirements
• Clause 5 - Software development process
• Clause 6 – Software maintenance process
• Clause 7 – Security risk management process
• Clause 8 – Software configuration process
• Clause 9 – Software problem resolution process

IEC 81001-5-1 also includes several informative annexes that can help manufacturers and developers meet the requirements of the standard. Annex B provides guidance on the implementation of life cycle activities to help ensure the security of health software. Annex C provides a detailed discussion of the threat modeling, a systematic approach for analyzing the security of a device or an application to facilitate the identification and prioritization of potential security threats. It also offers details on several approaches to develop an accurate threat model.

IEC 81001-5-1 is expected to be designated by the EU Commission as a harmonized standard under the MDR with an anticipated effective date in May 2024. The standard is also likely to be recognized by the U.S. FDA as a “consensus standard” that can be used in support of submissions for 510(k) and PMA review. But, regardless of the standard’s effective date, connected device manufacturers and developers of health software can gain significant benefits from meeting the requirements of IEC 81000-5-1 in current and future product designs.

In today’s highly connected world, cyberattacks against critical systems and equipment are becoming all-too-frequent. Quality healthcare depends on secure access to advanced medical technologies using software and communications protocols to actively exchange vital patient information with other medical systems and devices. Cyber breaches impacting medical devices put the safety of individual patients at risk and severely compromises the quality of healthcare for people worldwide.

The growing cyber threat landscape for connected medical devices requires device manufacturers and software developers to be proactive in designing their products to minimize the risk of potential cybersecurity vulnerabilities. IEC 81001-5-1 provides a detailed roadmap manufacturers and developers can adopt, helping to ensure the safety and security of their products through the entire life cycle.

About the author: Joe Lomako is the business development manager (IoT) at TÜV SÜD, a global product testing and certification organization.

TÜV SÜD
https://www.tuvsud.com
https://www.tuvsud.com/industries/healthcare-and-medical-devices