In terms of regulatory requirements manufacturers of networked medical devices must consider both safety and security. This is also reflected by the new requirements of the EU Medical Devices Regulation (MDR). We had the opportunity to talk to Dr. Daniel Jacobi (Lead Software Architect, Zühlke Engineering GmbH, Eschborn) and Mr. Bernhard Petri (Product CERT, Siemens AG, Munich) about this topic:
Dr. Jacobi, the US standard AAMI TIR 57 describes the management of risks arising from the security requirements of medical devices. What are the differences in the approach compared to risk management according to ISO 14971?
Medical device manufacturers are used to the safety risk management standard ISO 14971. To minimize the hurdles for additional security risk management, it is advantageous to build on the experience gained previously in this area. This is exactly where the TIR 57 comes in. It reproduces the chapter structure of ISO 14971 and transfers the contents into the security area. Accordingly, this standard also defines the requirements and documents of the security risk assessment for medical devices analogous to the contents of ISO 14971. At the same time, the TIR 57 clarifies that security aspects cannot simply be integrated into an ISO 14971 risk assessment but should be regarded as parallel task and thus the standard defines a procedure that complies with FDA security guidelines. There are mutual reactions between the risk assessments for safety and security, which must be dealt with at defined interfaces. Although the TIR 57 defines the process environment for the security risk assessment; it does not provide the concrete risk assessment activities. In the standard is referenced to existing methods and comprehensive examples are given in the appendices.
Mr. Petri, the British Standards Institution (BSI) recommends that medical device manufacturers use the IEC 62443-4-1 and IEC 62443-4-2 of the industrial automation technology. Can these standards also be used without problems in the field of medical engineering?
The IEC 62443 series of standards was originally developed for cybersecurity in the field of "Industrial Automation and Control Systems", but it soon became apparent that the resulting standards of this series could also be used successfully in many other market segments, including medical engineering. The IEC 62443 series of standards benefits from the fact that it understands and deals with cybersecurity holistically with regard to the aspects of "persons - processes - technology" and that the underlying role model of IEC 62443 (from the asset owner / operator via the "integrator" up to the product supplier and its development processes) can be well mapped to corresponding roles and dependencies in the medical field, e.g. between hospital operators, physicians, IT/network integrators, and medical device manufacturers. The IEC 62443 standards are therefore increasingly recommended by the FDA, the BSI and similar organizations for the medical sector. However, the application of the IEC 62443 standards in the field of medical engineering is by no means completely without difficulty, especially regarding the used terminologies and references to industrial systems. Organizations active in the field of "medicine and cybersecurity", such as the American MDISS (mdiss.org), have therefore started to make recommendations on how the requirements of IEC 62443 standards can be interpreted and linguistically adapted for the field of medical engineering.