Cybersecurity is an important aspect of any medical device which incorporates software. Such devices can be vulnerable to various cybersecurity threats, resulting in health-related, privacy, economic and reputational risks. As the medical device industry is gravitating more towards digital healthcare applications, the risk of cybersecurity attacks is on the rise and as such there is the need for stricter regulations and guidance on cybersecurity.
Both the IVDR and the MDR set out the minimum requirements for cybersecurity, dealing with both pre-market and post-market aspects. These requirements concern hardware, IT networks characteristics and IT security measures, including protection against unauthorised access. Although not explicitly stated in the regulations’ requirements, security issues also need to be identified and analysed in the risk assessment, although this risk analysis need not be separate from the risk management process. When discussing risk in terms of cybersecurity, one needs to keep in mind the device’s intended use, intended operational environment of use, any foreseeable misuse, as well as the possibility that some security issues may have safety impacts as well. As well as risk, cybersecurity needs to be included in other aspects such as labelling, instructions for use and also post-market surveillance system.
As with any medical device, safety needs to be considered by the manufacturer from the early stages of design and development of a device. In terms of cybersecurity, one would need to consider safety, security and effectiveness in the development, manufacturing process and life cycle of the device. The MDCG 2019-16 presents a “Defence-in-Depth” strategy for a secure product life-cycle, which includes eight practices:
- Security management
- Specification of security requirements
- Secure by design
- Secure implementation
- Security verification and validation testing
- Management of security-related issues
- Security update management
- Security guidelines
While the MDR and the IVDR provide legal obligations only with regard to manufacturers, it is important to recognise the roles and expectations of all stakeholders, such as manufacturers, suppliers, healthcare providers, patients, integrators, operators and regulators in the interest of providing a secured healthcare service. Apart from the MDR and IVDR, there are various other documents that one would need to consult with:
- The IMDRF document IMDRF/CYBER WG/N 60 lists specific expectations from stakeholders in the field of cybersecurity.
- The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU.
- The General Data Protection Regulation protects personal data regardless of the technology used for processing that data, and as such, this should also be considered for the scope of cybersecurity.
- The EU Cybersecurity Act introduces an EU-wide cybersecurity certification framework for ICT products, services and processes.
- IEC TR 60601-4-4:2021 provides safety related technical security specifications for medical devices.
