Man working on a laptop on the topic of cyber security
Denis Putilov / adobe
2018-06-25 expert contribution 246 0

How Cybersecurity Requirements will engage Medical Device Manufacturers in the Future

Networked medical devices are basically exposed to concrete dangers from unauthorized disclosure, modification of data or loss of function. The importance of cybersecurity for medical devices is reflected by the increasingly published literature on the topic (2007-2017: 421 publications listed in PubMed) and issued product-specific safety communications by the U.S. Food and Drug Administration (FDA) [1]. Known examples include vulnerable insulin pumps [2], hard-coded password vulnerability of medical devices [3] or intrinsic safety problems with pacemakers or implantable cardiac defibrillators [4]. But cybersecurity is a shared task between involved stakeholder, e. g. manufacturers and health care delivery organisations. Not to forget recent cyberattacks like the “WannaCry” on the NHS in Great Britain. If the IT network environment of a hospital is not sufficiently protected the best measures of the manufacturer are useless. However, some operators like the U.S. Veterans Affairs Department [5] and the Mayo Clinic [6] have taken serious actions in promoting cybersecurity of medical devices. As a reaction on upcoming cybersecurity issues regulatory requirements are currently changing in different markets.

Contact

DGBMT im VDE e. V.

Regulatory Framework in Europe

The EU-Regulation (EU) 2017/745 on medical devices (MDR) became effective on 25 May 2017 [7]. In respect of software this new European regulatory framework defines a set of special requirements in Annex I as is depicted in the following figure:

Safety and Performance Requirements: Risks, Design, Principles, Requirements
VDE e. V.

It is obvious that requirements concerning cybersecurity play an important role for the European legislator. Furthermore, the EU Commission agreed on 08 June 2018 the text for a “Regulation on ENISA, the EU Cybersecurity Agency and on Information and Communication Technology Cybersecurity Certification" for negotiations with the European Parliament (the so-called “Cybersecurity Act”). The aim is setting uniform requirements for cybersecurity within the European Union via a certification scheme for specific ICT processes, products, and services. The European Union Agency for Network and Information Security (ENISA) will be transformed into a permanent agency for cybersecurity. Since medical devices are explicitly mentioned the question remains if this regulation at least will partially compete with the MDR concerning the topic certification.

Recently, the German Federal Office for Information Security (BSI) has published a recommendation on "Cyber security requirements for network-compatible medical devices" supporting manufacturers in implementing the state of the art as well as existing legal requirements in their products [8]. In addition, the paper also serves to sensitize manufacturers to the new hazards arising in the networking and digitization of medical devices.

Regulatory Framework in USA

The FDA addressed cybersecurity for medical devices in two guidance documents with recommendations for risk management during medical device development and for continuous monitoring activities for devices in the market, respectively [9], [10] . The FDA regards cybersecurity of medical devices as a challenge for the entire life-cycle. Furthermore, the U.S. Department of Health and Human Services recently established a Health Care Industry Cybersecurity Task Force meeting cybersecurity challenges for the health care industry. The 2017 report on “Improving Cybersecurity in the Health Care Industry” summarised the current state of cybersecurity, identified associated risks und gave recommendations for the future. For a more detailed discussion on the FDA’s perspective please refer to [11].

But do current FDA approval processes for medical devices reduce recalls which are primarily caused by their software? Ronquillo and Zuckerman investigated this question in their recent paper based on a search performed in the public FDA's database for recalls between January 1, 2011, and December 31, 2015 [12]. They found that in total 627 different devices (1.447.134 units) were recalled because of software-related issues of which 12 (190.596 units) were high-risk recalls with 11 already entered the market (mostly in the categories anaesthesiology and general hospital). Notably, only 14 recalled devices were approved through the Premarket approval (PMA) process that is including clinical trial or other scientific analysis. On the other hand none of the high-risk recalls underwent the PMA process indicating that a more rigorous approval may be beneficial.

Cyber Security Standards in the Context of Medical Devices

The FDA publishes routinely a list of recognised consensus standards for medical devices. By adhering to those standards the manufacturers can assume conformity with the FDA regulations. Searching the U.S. federal register for “software/informatics” (Specialty Task Group Area) and “security” (Keyword) results in a list of 11 standards. Under these are the most interesting:

  • AAMI TIR57 [13]: cybersecurity risk management during device development
  • UL 2900-2-1 [14] (referring to UL 2900-1 [15]): testing requirements for network connected components of healthcare systems including medical devices

In order to cover the entire life cycle the currently developed standard AAMI TIR97 will address the post-market security management for device manufacturers [16]. The Diabetes Technology Society (DTS) released in May 2016 the standard DTSec specifying security requirements for wireless diabetes devices and generating independent assurance [17]. In May 2018 the “Guidance for Use of Mobile Devices in Diabetes Control Contexts” was published for the safe use of consumer mobile devices (CMDs) in the control of diabetes-related medical devices [18]. A typical example for a CMD is a smart phone with a mobile app for controlling an implanted insulin pump.

Medical software that is operating as digital platform is requiring special security measures. In this respect the standards ISO/IEC 27001 and ISO/IEC 27799 provide both requirements for implementation of general IT security and health specific controls [19], [20]. Rösch et al. have demonstrated that a digital platform for Hemophilia patients is benefitting from the application of best practices of the before mentioned standards [21].

Manufacturer: Security Functions, Security Life Cycle; Operator: Procurement, Secure IT Environment; Manu/Op: Post-Market Monito
VDE e. V.

Future Developments in Standardisation

The new edition of the applicable international standard for risk management of medical devices ISO 14971 is likely to include risks derived from data and system security [22]. Two new standardisation projects are currently discussed to support cybersecurity in medical devices. A technical report in the IEC 60601 series with recommendations based on foundational requirements described in the IEC 62443-1-1 which is dealing with industrial automation and control systems security. And a new standard in the IEC 80001 series extending the life cycle processes to security of health software and health IT systems. As for the standard IEC 82304-1 the scope will be broadened to health software (not only software as medical device) since the border between health products and medical devices is more and more blurring.

Icon writers

References

Expand to see full list of references.

Icon writers

Expand to see full list of references.

[1] Center for Devices and Radiological Health, ‘Digital Health - Cybersecurity’. [Online]. Available: https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm. [Accessed: 06-Jun-2018].

[2] D. C. Klonoff, ‘Cybersecurity for Connected Diabetes Devices’, J. Diabetes Sci. Technol., vol. 9, no. 5, pp. 1143–1147, Apr. 2015.

[3] Department of Homeland Security (DHS), ‘Medical Devices Hard-Coded Passwords’, ICS-CERT, 13-Jun-2013. [Online]. Available: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01. [Accessed: 12-Jun-2018].

[4] B. Rios and J. Butts, ‘Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependencies’, WhiteScope, May 2017.

[5] A. Lipowicz, ‘VA to secure 50,000 networked medical devices - CIO determined to finish task this year’, FCW - The Business of Federal Technology, 20-May-2010. [Online]. Available: https://fcw.com/articles/2010/05/20/va-securing-50000-medical-devices.aspx. [Accessed: 06-Jun-2018].

[6] Mayo Clinic, Ed., ‘Medical and Research Device Risk Assessment Vendor Packet Instructions’. 15-May-2018.

[7] European Parliament and of the Council, Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC. 2017, pp. 1–175.

[8] Bundesamt für Sicherheit in der Informationstechnik, ‘Cyber-Sicherheitsanforderungen an netzwerkfähige Medizinprodukte’. 02-May-2018.

[9] FDA U.S. Food & Drug Administration, FDA Guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. 2014, pp. 1–9.

[10] FDA U.S. Food & Drug Administration, FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices. 2016, pp. 1–30.

[11] S. Schwartz et al., ‘The Evolving State of Medical Device Cybersecurity’, Biomed. Instrum. Technol., vol. 52, no. 2, pp. 103–111, Mar. 2018.

[12] J. G. Ronquillo and D. M. Zuckerman, ‘Software-Related Recalls of Health Information Technology and Other Medical Devices: Implications for FDA Regulation of Digital Health’, Milbank Q., vol. 95, no. 3, pp. 535–553, 2017.

[13] Association for the Advancement of Medical Instrumentation (AAMI), ‘AAMI TIR57: Principles for medical device security—Risk management - Products - Association for the Advancement of Medical Instrumentation’, 05-Jun-2015. [Online]. Available: http://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=3729. [Accessed: 08-May-2018].

[14] UL, ‘UL 2900-2-1 Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems’, 01-Sep-2017. [Online]. Available: https://standardscatalog.ul.com/standards/en/standard_2900-2-1_1. [Accessed: 14-Jun-2018].

[15] UL, ‘UL 2900-1 Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements | Standards Catalog’, 05-Jul-2017. [Online]. Available: https://standardscatalog.ul.com/standards/en/standard_2900-1_1. [Accessed: 14-Jun-2018].

[16] Association for the Advancement of Medical Instrumentation (AAMI), ‘AAMI TIR97: Principles for medical device security – Post-market security management for device manufacturers’. [Online]. Available: https://standards.aami.org/higherlogic/ws/public/projects/1296/details. [Accessed: 14-Jun-2018].

[17] Diabetes Technology Society (DTS), ‘Standard for Wireless Diabetes Device Security (DTSec)’, 23-May-2016. [Online]. Available: https://www.diabetestechnology.org/dtsec-standard-final.pdf. [Accessed: 14-Jun-2018].

[18] Diabetes Technology Society (DTS), ‘Guidance for Use of Mobile Devices in Diabetes Control Contexts’, 22-May-2018. [Online]. Available: https://www.diabetestechnology.org/dtmost/DTMoSt%20Guidance.pdf. [Accessed: 14-Jun-2018].

[19] International Organization for Standardization (ISO), ‘ISO/IEC 27001:2013 - Information technology -- Security techniques -- Information security management systems -- Requirements’, Oct-2013. [Online]. Available: https://www.iso.org/standard/54534.html. [Accessed: 14-Jun-2018].

[20] International Organization for Standardization (ISO), ‘ISO 27799:2016 - Health informatics -- Information security management in health using ISO/IEC 27002’, Jul-2016. [Online]. Available: https://www.iso.org/standard/62777.html. [Accessed: 14-Jun-2018].

[21] A. Rösch, D. Schmoldt, W. Mondorf, and R. Fischer, ‘Ensuring information security for the electronic patient diary smart medicationTM by applying an Information Security Management System(ISMS) based on the international standards ISO/IEC 27001 and ISO/IEC 27799’, in Hamostaseologie, Vienna, 2018, vol. 38, p. 46. Related poster: https://www.raie.de/app/download/11760185712/180206-A4-Poster3-Druck.pdf?t=1529054043

[22] T. Prinz, ‘What are the new developments in risk management of medical software?’, LinkedIn, 17-May-2018. [Online]. Available: https://www.linkedin.com/pulse/what-new-developments-risk-management-medical-software-thorsten-prinz/.