Manufacturers of digital medical devices, medical devices that incorporate electronic programmable systems (PEMS) and software that are medical devices in itself, will have full responsibility to establish and maintain ‘security by design’ with the introduction of the Medical Device Regulation (MDR). A secure product development life cycle based on state-of-the-art practices and modern tool chains should be implemented.
Where digital health technologies are becoming complex, cybersecurity conformity assessments ensure, both for end users and manufacturers, that products meet the standards and their security needs. The European Association for Medical Devices of Notified Bodies (Team NB) has published a position paper where they share their key takeaways on making conformity assessments as efficient and effective as possible, without compromising on quality.
National cybersecurity requirements are a challenge
As we are moving into the industry 4.0 era, digitization within the medical device industry and healthcare are now in full throttle. A good example of this kind of transformation are the connected medical devices, including monitoring devices, wearables sensors, mobile medical apps, telehealth solutions, extended reality (XR) devices and electronic implants, such as pacemakers.
All these medical innovations should lead to the improvement of preventive and personalized patient care, which is a great prospect. The capability to instantly generate, collect, analyse and transmit healthcare data, for the purpose of diagnosing medical conditions, suggesting treatments and informing clinical management, is immensely valuable to physicians and their patients. While the potential of digital medical devices has been recognized for several years, and the market is expected to continue its growth, these kinds of digital health technology innovations and their ability to process personal health data introduce new risks to safety, security, and privacy.
To manage these risks and to ensure safe and secure use of digital medical devices, the EU-MDR requires cyber security to be addressed throughout the product development life cycle (Secure Design and Manufacture) as well as during the supported lifetime (Post Market Surveillance and Vigilance). It provides a cybersecurity regulatory framework, both in Annex I of MDR, General Safety and Performance Requirements, and MDCG 2019-16, Guidance on cybersecurity for medical devices. In addition, there are cybersecurity requirements and guidelines drafted and implemented on a national level.
As a consequence, medical device manufacturers who have products in the European market need to consider all these national cybersecurity requirements as well, which can result in a huge challenge.
EU Cyber Resilience Act (CRA)
As of September 2022, the European Commission proposed a new Cyber Resilience Act (CRA). This Act aims to introduce EU-wide rules and cybersecurity requirements for manufactures and developers of products that include digital elements. However, medical devices are excluded from the proposed CRA. The European Data Protection Supervisor (EDPS) is currently debating whether to include medical devices in the Act, since the MDR lacks specific requirements on data encryption.
Opinion from Notified Bodies
The European Association for Medical Devices of Notified Bodies, or Team NB, works to advance high standards and pursues transparency for EU Notified Bodies actively. Recently, they have released a position paper related to cybersecurity and they aim to make cybersecurity conformity assessment(s) as effective as possible, without sacrificing quality.
The paper encourages and provides recommendations on the usage of:
- Harmonized adoption of standards, such as the cybersecurity standard IEC 81001-5-1 and IEC TR
60601-4-5 (note that IEC TR 60601-4-5 may be withdrawn for harmonization according to draft
standardization request of 1 June 2022).
- Harmonized approach to a ‘Shift left approach’, where threat modelling techniques are included in the early phase of product development. It is encouraged to make use of the modeling technique ‘STRIDE’, which identifies security threats on six categories and can easily be integrated with ISO 14971 Risk Management.
- Harmonized approach penetration testing, by using appropriate penetration test methodologies and execution standards, such as a penetration testing execution standard (PTES).
- Adoption of secure development lifecycle (SDL), by using essential details layout in IEC 81001-5-1, which nicely fits in the existing IEC 62304 standard and introduces security elements from the IEC 62443.
- Importance of cybersecurity Post Market Surveillance (cybersecurity PMS)
A coordinated effort is required by the industry and notified bodies to protect privacy and cyber safety. As a result, the position paper identifies potential areas, suggests directions and provides guidance for notified bodies on cybersecurity conformity assessments, which lead to safer and more secure devices.
Do you have any questions or need assistance with navigating the cyber security regulatory framework for your medical devices and/or in the preparation for cybersecurity conformity assessment(s)? Do not hesitate to reach out!