MedTech Cyber Security in EU
TEAM -NB, The European Association Medical devices of Notified Bodies, was formed in 2001. Team-NB is actively pursuing transparency for notified bodies in Europe.
Recently, Team NB released a position paper on cybersecurity for Medical Devices. The increasing number of connected medical devices and ongoing digitisation in healthcare brings new market opportunities for the manufacturer and, more importantly, improvements in patient care. At the same time, it presents new and different types of risks to the safety, security, and privacy of medical devices. These connected medical devices range from sensor-based technologies such as wearables to software as medical device such as mobile medical apps and also to implantable medical devices such as pacemakers. To ensure the safe and secure use of medical devices, state of the art regulatory frameworks are necessary.
This position papers calls for the requirement of
- consistent, and
- harmonised regulatory requirements
for a high level of cybersecurity and competitiveness at the European and international levels.
Since cybersecurity evolves on a regulatory and technological level this paper document is intended to reflect the current state of the art at the time of creation only.
There are few cybersecurity experts today and it is likely that it will continue to be a similar situation in the foreseeable future; therefore, it is a goal of this paper to make conformity assessment(s) of cybersecurity as efficient as possible without compromising the quality.
This paper lists down recommendations to ensure that safety, security, and privacy is protected, as a collective effort. . This paper outlines areas which may be used as possible solutions to current challenges by focussing on
- international standards,
- use of a harmonised approach to security risk assessment, and
- seeking a coherent harmonised approach for high level penetration test requirements,
which aim to support the medical device software development lifecycle through development to post market surveillance, and through end of device lifetime with use of the quality management system, Medical Device/In-vitro Diagnostic Device regulatory framework and guidances from regulatory bodies.
The Position paper from Team NB recommends the following:
- Ensure the harmonised adoption of standards, for example, of IEC 81001-5-1 which is a state of the art standard that is expected to be harmonised by the European commission in the near future. Manufacturers should start the adoption process as soon as possible by creation of transition plans.
- Harmonise the approach to security risk assessment, for example it is recommended to use a systematic threat modelling technique (one such example is STRIDE) to ensure that all relevant threats are covered. The readability for third parties when using a systematic risk approach can support efficient assessment by notified bodies. Common vulnerability scoring systems (CVSS), self-defined matrices, or other similar methods may be used by manufacturers to score threats for medical devices.
- Harmonise high level penetration test requirement; penetration testing is the primary means of security verification and validation and it is recommended that medical devices shall have appropriate penetration test reports throughout their life cycle at appropriate intervals. Any penetration test should also have an appropriate depth and coverage, with penetration testers being independent from the development team for the device and appropriately skilled.
- Adapt a secure development life cycle (SDL); the security of a medical device can only be supported by a secure life cycle process throughout the life cycle of the medical device. Cybersecurity should be considered at the early stages of the development as well as through development and in late phases of the life cycle such as multiplication of software, delivery, and disposal or deinstallation. Standards such as IEC 81001-5-1 provide essential details on how to realise this.
- Importance of Cybersecurity Post Market Surveillance (Cybersecurity PMS); Cybersecurity PMS as postulated by MDCG 2019-16 is an essential element to combat, for example, the challenge of rising ransomware attacks on hospitals, since the timely development and distribution of patches is essential to reduce entry gates for ransomware attacks and to stop the spread of ransomware attacks.
Due to the criticality of this issue the compliance and effectiveness of the Cybersecurity PMS processes may be part of conformity assessment through regulation audits to MDR and IVDR by notified bodies and it is recommended that manufacturers consider Cybersecurity PMS and document in accordance with the guidance and requirements of the regulations.
Experts at Med-Di-Dia Ltd. have 16+ years of experience in dealing with cyber security requirements for the MedTech Field. Launching of a Medical Software can be a challenging task. With increased regulatory requirements in the EU, UK, USA and other countries, it is important your plan a strategy NOW!
Med-Di-Dia – Your Regulatory Risk Partners for Medical Devices, Diagnostics and Digital Health!