Over the past few years, cybersecurity has become a major concern for medical device manufacturers (MDMs), for a number of reasons.
First and foremost, medical devices are becoming connected like never before with multiple communication channels. They are becoming increasingly software-driven, with rapidly growing code bases, reliant on a complex software supply chain, consisting of third-party software components and more and more open-source libraries. As MDMs work hard to build solid cybersecurity strategies, the threat landscape continues to evolve, with hackers increasingly setting their sights on embedded devices.
Regulators have taken notice of these developments, and a growing body of standards and regulations has arisen in response to concerns about cybersecurity and medical device safety.
In order to help medical device security pros navigate emerging regulations and standards, we’ve put together an overview of the major standards and regulations that pertain to the safe use and cybersecurity of medical devices.
Looking at some of the most recent happenings in the market, software supply chain security has become such a major concern that US President Biden has issued a Cybersecurity Executive Order in 2021 with guidelines for the federal government and its suppliers to reduce cybersecurity risk and improve the overall national security posture.
Otherwise known as EO 14028, the order focuses on the modernization of strong security standards and their implementation, and stresses the need for manufacturers and vendors to supply and validate an accurate and comprehensive software bill of materials (SBOMs) for their products.
As part of the push to bring SBOM regulation into the forefront, CISA – the US Cybersecurity and Infrastructure Security Agency, has been working hard to standardize SBOMs, an effort headed by Allan Friedman, veteran SBOM champion and CISA senior advisor and strategist who coordinates the efforts around SBOMs there.
FDA Pre-Market Approval Guidelines
The Food and Drug Administration (FDA) of the United States Federal Government has the responsibility of protecting public health by ensuring the safety and security of among other things medical devices – among other things.
Unlike the voluntary standards described above, the FDA brings the power of the law to the security of medical devices. In fact, for any medical device to be legally sold in the U.S., the manufacturer, or marketer, must seek pre-market approval from the FDA which requires a formal presentation of evidence that the device is reasonably safe and effective.
In 2014, the FDA issued guidance regarding the safety and security of medical devices and updated its guidance in 2018. However, due to the very rapidly evolving cybersecurity landscape, the FDA is in the process of updating its views. Its pending 2022 draft is still accepting comments and is expected to be codified and released later this year.
The new guidance insists on six expectations and introduces the concept of a Secure Product Development Framework (SPDF) and Software Bill of Materials (SBOM), which cover the security and safety during a medical device’s total life cycle:
#1 Cybersecurity is an integral part of device safety
#2 Security by design
#4 Security risk management
#5 Security architecture
#6 Testing/objective evidence
The International Electrotechnical Commission (IEC) is an international standards organization that creates international standards for electrical and electronic technologies. Numerous medical devices fall under their purview.
Originally published in 2006 and supplemented by an amendment in 2015, the IEC 62304 international standard has been the “workhorse” of the software (not hardware) side of medical device security. Entitled “Medical Device Software — Software Lifecycle Processes”, Edition 2 is scheduled to be released shortly, but until it is, the 2006/2015 standard is in force with its stability date through 2025.
The 62304 standard addresses lifecycle processes for software whether it is a standalone software that is itself a medical device or software that is embedded in or integral to a medical device. In today’s increasingly connected world, filled with a growing body of artificial intelligence and data-gathering capabilities, most medical devices being produced fall under that category.
The standard decomposes the software lifecycle into five processes:
- Risk management
- Configuration management
- Problem resolution
and assigns one of three software safety classifications
- Class A: No injury or damage to health is possible
- Class B: Injury is possible, but not serious
- Class C: Death or serious injury is possible
The safety classifications pertain to the risk of harm from a hazardous situation to which the software could contribute. Each classification has its own summary of requirements. As new software is developed and implemented, its owners/creators adhere to the requirements of the safety classification that they are striving to achieve.
For legacy software that is already in the field, the standard calls for risk management activities, gap analysis, gap closure, and rationale for continued use.
The standard does not deal with validation or final release of the medical device even when the device consists entirely of software.
In practice, 62304 functions best in conjunction with other standards such as ISO 13485, ISO 14971 — for cybersecurity risk management, ISO 81001 – 5 – 1:2021 — a regulatory standard for medical devices, IEC 60601-1, ISO/IEC 12207, IEC 61508-3, and ISO/IEC 90003.
IMDRF Cyber Working Group
Established in 2011 by representatives of the medical device regulatory authorities of Australia, Brazil, Canada, China, the European Union, Japan, and the United States, and the World Health Organization (WHO), the International Medical Device Regulators Forum, IMDRF, is a voluntary international group of medical device regulators. Their goal is to accelerate international medical device regulatory harmonization and convergence.
IMDRF/CYBER WG/N60 Final Guidance, published in March 2020, provides general principles and best practices for medical device cybersecurity. This working group considers cybersecurity broadly in the context of medical devices that either contain or are composed of software, not only connected devices. It is concerned with medical device safety and performance and includes recommendations not only for manufacturers but all stakeholders. The Forum strives for the harmonization of cybersecurity approaches across the Total Product Lifecycle (TPLC) of medical devices.
The N60 standard introduces two major concepts:
- Legacy Medical Devices that cannot be reasonably protected via updates against current and future cybersecurity threats
- Software Bill of Materials (SBOM), a detailed inventory report identifying each software component by name, origin, version, and build, and including any commercial, open source, or off-the-shelf software components which are part of the medical device
For legacy devices, N60 defines the responsibilities between manufacturer and customer throughout the TPLC and makes recommendations to both.
For SBOMs, the IMDRF declares that they should be used to help device operators manage the assets and related risks:
- Device operators should use the SBOM to facilitate cooperation with the device manufacturer in identifying software that may have vulnerabilities, update requirements, and how to perform appropriate security risk management
- The SBOM should help with purchasing decisions by providing buyers with visibility into the components used and the potential security risks
- Manufacturers of medical devices should adopt industry best practices for the format, syntax, and markup used for the deployment of SBOMs (compatibility)
The first draft of the N60 standard was published earlier this year and is currently undergoing public consultation. The final version is scheduled for publication in 2023.
ISO/IEC 27001 is an international standard concerned with managing data security, it’s not specifically focused on medical devices, rather it’s an infrastructure cybersecurity standard — one of the weakest of infrastructure standards. Originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, the standard was subsequently revised in 2013. The standard is actually a specification for an effective information security management system (ISMS). It addresses people, processes, and technology.
The standard is especially pertinent to medical devices since they are rapidly becoming more connected and increasingly subject to cyber threats.
Manufacturers and practitioners of medical devices seek to minimize risk to patients. The level of risk escalates when vital operational data is corrupted (patient safety) or personal health information is stolen (patient privacy). ISO 27001 describes the necessary approach to the management of information security.
Most organizations already implement certain information security controls, but these were probably developed over time by different groups as specific solutions for specific needs. They are often disorganized and incomplete. ISO 27001 approaches the issue of information management comprehensively by:
- Systematically examining an organization’s information security risks, considering threats, vulnerabilities, and impacts
- Implementing a coherent suite of information security controls to address risks that are unacceptable
- Adopting a comprehensive process to ensure that information security controls are flexible and able to meet information security needs on an ongoing basis
ISO 27001 is based on a set of internationally recognized best practices that cut across platforms and software packages. ISO 27001 certification helps organizations adapt to cyber threats and maintain continuity in the event of an incident by assessing the measures they have taken to protect patient data.
A nonprofit organization founded in 1967, the Association for the Advancement of Medical Instrumentation (AAMI) comprises a diverse community of 10,000 healthcare technology professionals who work in harmony to promote the advancement of health technology with a focus on patient safety. A voluntary standards organization based in the US, the AAMI is accredited by the American National Standards Institute (ANSI), the organization that coordinates the development and promotion of all US voluntary standards.
Published in 2019, AAMI’s Technical Information Report, TIR97, addresses the post-market phases, while AAMI TIR517 addresses pre-market.
TIR97 instructs organizations on how to achieve post-market medical device security by conducting ongoing security-event handling with threat intelligence, vulnerability monitoring, and incident response.
This standard extends the definition of “harm” beyond incidents that directly cause physical harm to patients and includes reduction of device effectiveness as well as breach of data security.
Employed with another ANSI standard, ANSI/AAMI/ISO 14971, the US Food and Drug Administration (FDA) has designated TIR 97 a “consensus standard” – voluntary but recommended.
More Standards and Regulations are Coming
Our discussion of standards and regulations is just the beginning. As cyberattacks are increasing in frequency and sophistication, and while the connectivity and data usage of medical devices results in rapidly expanding their attack surfaces, we can expect frequent upgrades to the current state of best practices and legal requirements for medical device manufacturers, supply chain vendors and end customers to safeguard patients and practitioners.