As the degree of interconnectedness of medical devices increases, cybersecurity has also become an important issue for medical device manufacturers and operators. On the one hand, manufacturers and operators must respond appropriately to threats in the face of a global and fast-moving threat environment. On the other hand, they have to take into account a number of laws, data protection regulations and documentation requirements. This technical article provides an overview of the current status of requirements for manufacturers.
Importance of cyber threats to medical devices
News of hacked hospital networks or compromised medical devices reaches us continuously. It is pointless to list individual incidents here, as such a list would already be outdated by the time this article appears.
If we compare the threats, we can identify recurring forms of threats:
- malware: malicious software designed to infect and damage computer systems (viruses, worms, Trojans, ransomware, spyware, ...).
- Phishing: Users are tricked into revealing confidential information (passwords, credit card data, etc.), for example by means of deceptive e-mails or websites.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks: crippling a system or network with an excessive amount of traffic. As a result, the service is no longer available (availability limited).
- manipulation: information is changed unnoticed, such as a doctor's letter with a report (integrity violated).
- data breaches: Unauthorized access to sensitive information, such as personal data (Confidentiality violated).
- social engineering: manipulating people into revealing confidential information or performing actions. Often used in combination with other techniques, such as phishing.
- Since healthcare data is not "normal" data and by definition requires special protection (see Article 9 of the European General Data Protection Regulation (GDPR)), manufacturers and operators of medical devices must be aware of the associated risks. And since operational security in the field of medical devices is closely linked to IT security, cyber threats can directly lead to threats to human life.
Regulatory requirements for the IT security of medical devices
In Europe, there are a number of different regulatory frameworks for cybersecurity in medical devices. The legal basis for medical devices and thus also for medical software are the European Medical Devices Regulation (EU) 2017/745 (MDR) and In Vitro Diagnostics Regulation (EU) 2017/746 (IVDR).
In general, medical devices must be designed and manufactured in such a way that risks - and explicitly also cyber risks - are reduced as far as possible. This includes risks arising from the interaction between software and the IT environment. EU regulations explicitly require that a medical device manufacturer perform risk management. This risk management must also address risks arising from cyber threats.
For products that include software, or for software itself, the manufacturer must take the state of the art into account during development and during production. This includes compliance with a defined software lifecycle, consideration of information security both during development and the provision of the necessary information to be able to maintain this during subsequent operation, as well as appropriate verification and validation of the (software) product.
Medical devices that contain software (or that are themselves software) are increasingly rarely operated as an "island" - they are networked. The legislator has also recognized this: in the case of network-capable products, manufacturers must specify minimum requirements for the IT environment. These relate to the hardware, to the characteristics of IT networks and IT security measures, and to precautions against unauthorized access.
Relevant standards offer assistance in translating the regulatory requirement into technical implementation. Here is a selection of articles on relevant standards, each of which is directly or indirectly related to IT security or cybersecurity for medical devices:
- Risk management for medical devices (ISO 14971)
- Cybersecurity risk management for medical devices: ARGOS
- Software life cycle for medical devices (IEC 62304)
- Extension of the software life cycle to include security (IEC 81001-5-1)
- Quality management for medical devices (ISO 13485)
- Medical electrical devices (IEC 60601-1)
Since the requirements of cybersecurity are not a special topic of medical technology, the excellent considerations from the field of "IT security for industrial automation systems" (IEC 62443 series of standards), in particular IEC 62443-4-1 (life cycle requirements for secure product development) and IEC 62443-4-2 (technical security requirements for components of industrial automation systems) were transferred to the requirements of medical technology. Result: Technical Report IEC/TR 60601-4-5 ("Guidance and evaluation - Security-related technical requirements for security"), which describes the IT security requirements for medical devices as part of IT networks.
Another relevant series of standards, primarily aimed at operators of networked medical devices, is IEC 80001-1 on the application of risk management for IT networks containing medical devices.
Current guides on the IT security of medical devices
But even beyond norms and standards, other documents on cybersecurity are available and can be consulted when assessing the product as part of the conformity assessment. For example, the Medical Device Coordination Group (MDCG) has already published a Guidance on Cybersecurity for medical devices (MDCG 2019-16) in early 2020. This guideline provides an overview of the requirements of the EU regulations, explains terms and presents cybersecurity concepts ("Secure by Design") for medical devices. In addition, it explains how to adequately document with regard to IT security and which aspects need to be considered for post-market surveillance (PMS) and vigilance of medical devices.
Another source of information is the International Medical Device Regulators Forum (IMDRF). Of particular interest for considering cybersecurity in medical devices are the following publications:
- Principles and Practices for Medical Device Cybersecurity.
- Principles and Practices for the Cybersecurity of Legacy Medical Devices
- Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity.
The IMDRF guidelines provide recommendations on general and specific cybersecurity aspects of medical devices and aim in particular to support the international convergence of requirements. This is particularly evident in the more recent papers ("Legacy" and "SBOM - Software Bill of Materials"), which address topics that are currently the subject of controversial international debate.
The Notified Bodies in Europe have published a questionnaire that forms the basis for the assessment of cybersecurity in a conformity assessment: "Questionnaire IT Security for Medical Devices".
The German Federal Office for Information Security (BSI) has also published recommendations on cybersecurity requirements for medical devices in its technical guideline BSI TR-03161 "Requirements for healthcare applications". The technical guideline is divided into three parts (mobile applications, web applications and background systems) and, following an analysis of the threats (security problem definition), sets out concrete requirements (test aspects). DiGA manufacturers in particular should address these technical guidelines. This is because for manufacturers of DiGA who submit an application to the Federal Institute for Drugs and Medical Devices (BfArM) for inclusion in the DiGA directory, these technical guidelines can be regarded as a fixed set of criteria to be met, in addition to the regulatory requirements already in place.
Highly relevant, especially with regard to the procurement of medical devices in hospitals, is the ANSI/NEMA standard HN 1-2019 "Manufacturer Disclosure Statement for Medical Device Security", better known by its abbreviation "MDS2".
Cybersecurity and critical infrastructure
In order to describe "measures for a high common level of cybersecurity in the Union", the EU has issued Directive (EU) 2022/2555 on cybersecurity, the so-called "NIS-2 Directive". (NIS: Network and Information Security). The member states must implement this directive into national law, which is to be done in Germany by means of the "Act to Implement the NIS-2 Directive and to Regulate Essential Essentials of Information Security Management in the Federal Administration (NIS-2 Implementation and Cybersecurity Strengthening Act - NIS2UmsuCG)" (Act is in draft form at the time of writing).
So far in Germany, the requirements from the NIS Directive (the predecessor of the "NIS-2 Directive") as well as from the IT Security Act, which had previously come into force in Germany, have been implemented in the Kritisverordnung. The Criticality Ordinance affects both providers of certain digital services and operators of critical infrastructures.
It also affects the healthcare sector, including hospitals (from 30,000 full inpatient cases per year), laboratories (from 1.5 million orders per year), pharmacies (from 4.65 million dispensed packages per year) and manufacturers of medical devices (turnover of at least EUR 90.7 million per year).
Under certain circumstances, hospitals must prove to the German Federal Office for Information Security (BSI) that they have taken the necessary "technical and organizational measures". According to the German Hospital Association, manufacturers can consider "audits, certifications, etc." for this purpose.
Cybersecurity Act and European cybersecurity agency
On April 17, 2019, ENISA ("European Network and Information Security Agency": European Union Agency for Cybersecurity) was anchored in the European legal system by means of Regulation (EU) 2019/881. The aim is to ensure the proper functioning of the internal market while achieving a high level of cybersecurity in the Union, in the ability to defend against cyberattacks and in trust in cybersecurity (see (EU) 2019/881, Art. 1), which includes the certification of cybersecurity of information and communication technology.
To this end, the Regulation on the one hand strengthens the role of ENISA, as the Regulation gives it a permanent mandate. On the other hand, the regulation introduces a European certification framework for cybersecurity.
Among other things, ENISA will be given the task of drawing up possible certifications and an associated work program. This will include a list of products, services and processes for which certifications are planned.
In principle, the given legal framework makes it possible for mandatory certifications to be introduced.
Data protection regulations
Networked medical devices frequently store or process patient-related and thus personal data. These data play an important role in the medical care of patients; health data are not "normal" data and are classified as requiring special protection (see Article 9 of the European Data Protection Regulation (GDPR). The regulation, which came into force in 2018, contains numerous regulations that affect manufacturers and operators of medical devices.
For example, personal data may in principle only be processed electronically if the data subjects have also consented to the processing. In this context, the data subject must be able to understand beyond doubt how the data is processed. Manufacturers and operators of medical devices must be able to guarantee and demonstrate this.
The GDPR formulates certain requirements for personal data, especially confidentiality, availability and integrity. Manufacturers and operators of networked medical devices must therefore be able to guarantee the security of the data. Unlawful processing of data, data loss or data damage must be prevented. Likewise, the dignity of the data subject must not be violated, nor must their freedom be restricted in any way.
But the GDPR requires even more!
Thus, there is a fundamental right to receive information about the processed data, as well as the "right to erasure". In addition, manufacturers or operators are obliged to constantly improve the security level, taking into account the state of the art. Both the design (privacy by design) and the basic settings (privacy by default) must be data protection-friendly.
Medical device manufacturers or operators must comply with all of the above requirements and must also be able to demonstrate compliance with them. In addition, manufacturers and operators must pay attention to the geographical region in which the data is processed, for example in the case of cloud-based solutions. An agreement on commissioned data processing is essential.
We recommend that manufacturers and operators of networked medical devices deal in detail with all aspects of cybersecurity and data protection. It is not only the medical device legislation described above that needs to be taken into account, because the GDPR has significantly increased the significance and also the penalties for data protection violations. At the same time, the cyber threat situation is continuously intensifying. This is shown by the current publication "Health Threat Landscape" by ENISA, i.e. the "European Network and Information Security Agency": European Union Agency for Cyber Security) (see above).
For manufacturers, the effort to maintain an overview of the legal framework, recommendations, standards, guidelines, etc. for cybersecurity in medical devices with significance for the German or European market is immense in view of the scope. For comparison: In the USA, the FDA (Federal Drug Administration) has issued a few specific guidelines that explicitly refer to certain standards.
Therefore: if you want to be sure to know the current state of the cybersecurity discussion in order to be able to consider it in your product design: feel free to contact us! We will support you in all regulatory issues.