Networked medical devices are basically exposed to concrete dangers from unauthorized disclosure, modification of data or loss of function. The importance of cybersecurity for medical devices is reflected by the increasingly published literature on the topic (2007-2017: 421 publications listed in PubMed) and issued product-specific safety communications by the U.S. Food and Drug Administration (FDA) . Known examples include vulnerable insulin pumps , hard-coded password vulnerability of medical devices  or intrinsic safety problems with pacemakers or implantable cardiac defibrillators , . But cybersecurity is a shared task between involved stakeholder, e. g. manufacturers and health care delivery organisations. Not to forget recent cyberattacks like the “WannaCry” on the NHS in Great Britain. If the IT network environment of a hospital is not sufficiently protected the best measures of the manufacturer are useless. However, some operators like the U.S. Veterans Affairs Department  and the Mayo Clinic  have taken serious actions in promoting cybersecurity of medical devices. As a reaction on upcoming cybersecurity issues regulatory requirements are currently changing in different markets.
How Cybersecurity Requirements will engage Medical Device Manufacturers in the Future
Future Developments in Standardisation
The new edition of the applicable international standard for risk management of medical devices ISO 14971 is likely to include risks derived from data and system security . The risk management standard IEC 80001-1 is currently under revision as well, but in contrast to ISO 14971 it addresses the application of risk management to IT-networks incorporating medical devices. The second edition underwent a complete reorganisation in the process format similar to the general risk management standard ISO 31000. The scope of the second edition was broadend “addressing the key properties of safety, effectiveness and both data and system security (including privacy) while engaging appropriate stakeholders”. Two new standardisation projects are currently discussed to support cybersecurity in medical devices. A technical report in the IEC 60601 series with recommendations based on foundational requirements described in the IEC 62443-1-1 which is dealing with industrial automation and control systems security. And a new process standard in the IEC 80001 series extending the life cycle processes of IEC 62304 to security of health software and health IT systems. As for the standard IEC 82304-1 the scope will be broadened to health software (not only software as medical device) since the border between health products and medical devices is more and more blurring.
Expand to see full list of references.