Guidance for Cybersecurity of Connected Medical Devices

Integration of advanced information technologies in medical devices has fostered the emergence of a new set of challenges for patients, healthcare providers, device developers and manufacturers. In this context, strengthening the security of connected medical devices against cyber-attacks is the responsibility of device developers and manufacturers. Apart from meeting regulatory requirements, they must also make continued efforts to protect confidential patient data to help ensure the safety of patients. Moreover, they need to thoroughly evaluate and address the potential cybersecurity risks associated with their products, not just during the product development stage but also throughout the products’ anticipated use lifetime.

To ensure patient safety and medical device performance, convergence of global healthcare cybersecurity principles and practices is of utmost importance. Recent guidance published by the International Medical Devices Regulators Forum (IMDRF) on March 18, 2020 discusses general principles and practices for medical device cybersecurity (including in vitro [IVD] medical devices), as well as pre- and post-market issues for device makers, for regulators and other stakeholders to consider.

The International Medical Device Regulators Forum (IMDRF) defines Cybersecurity as

“a state where information and systems are protected from unauthorized activities, such as access, use, disclosure, disruption, modification, or destruction to a degree that the related risks to confidentiality, integrity, and availability are maintained at an acceptable level throughout the life cycle.”

The general principles and best practices provided in the IMDRF document facilitates international regulatory convergence on medical device cybersecurity.

The guidance document covers six key recommendations for cybersecurity best practices:

• Implement risk-based approaches for design and development of medical devices
• Ensuring safety, performance, and security of devices as well as their connected healthcare infrastructures
• Cybersecurity is to be considered as a shared responsibility among manufacturers, healthcare providers, regulators, and other stakeholders
• Issuing recommendations to stakeholders to minimize risks of patient harm across a device’s total product life cycle
• Establishing consistently defined cybersecurity terms as well as best practices for achieving and maintaining device cybersecurity
• Developing and promoting broad data sharing policies regarding cybersecurity incidents, threats, and vulnerabilities

Some of the guiding principles relevant while developing, regulating, using, and monitoring medical devices; that needs to be taken into consideration by stakeholders include:

• Global Harmonization: All medical device stakeholders are encouraged to harmonize their approaches to cybersecurity throughout the life cycle of the medical device. This encompasses harmonization across product design, risk management activities throughout the life cycle of the device, device labeling, regulatory submission requirements, information sharing, and post-market activities
• Total Product Life Cycle (TPLC): From the initial conception to end of support (EOS), various risks associated with cybersecurity threats and vulnerabilities should be taken into consideration. The dynamic nature of cybersecurity risk can be effectively addressed by applying risk management throughout the TPLC
• Shared Responsibility Among Stakeholders: Stakeholders involved in medical device cybersecurity should understand their responsibilities and work closely with other stakeholders to continuously monitor, assess, mitigate, communicate, and respond to potential cybersecurity risks and threats throughout the life cycle of the medical device
• Promote Transparency Through Information Sharing: The TPLC approach to safe and secure medical devices uses cybersecurity information sharing as a corner stone. Information sharing can be achieved by adopting a pre- and post-market approach by the respective stakeholders

• To ensure safe use of the medical device information relating to the security of medical devices should be shared with users, patients, other manufacturers, distributors, healthcare providers, security researchers, and the public
• The shared information should be meaningful, consumable, and actionable for different stakeholders (e.g. information about a more secure chipset could be important across manufacturers, but the information may provide no benefit to end-users of the device)
• Information should be appropriate and shared freely, with the aim of improving patient safety irrespective of commercial interests
• Ensure providing globally consistent information that is shared synchronously across jurisdictions (as appropriate) to enable stakeholders in various jurisdictions to respond accordingly

Although medical device cybersecurity should be addressed throughout TPLC, some of the important pre-market elements that a manufacturer should address during the design and development of a medical device prior to market entry include:

• Designing security features into the product
• Application of accepted risk management strategies
• Performing security testing
• Provision of useful information for users to operate the device securely
• A plan in place for post-market activities

A post-market approach is necessary when pre-market controls designed and implemented may be inadequate to maintain an acceptable risk profile. The various elements that a post-market approach include are:

• Operation of the device in the intended environment
• Information sharing
• Coordinated vulnerability disclosure
• Vulnerability remediation
• Incident response, and legacy devices

As per the medical device labeling changes under the EU MDR the label should provide relevant security information to the end-user, considering the relative cybersecurity risk. Some of the elements that it should include are:

• Device instructions and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-malware software, network connectivity configuration, use of a firewall)
• Backup description, restore features and procedures to regain configurations
• A list of network ports and other interfaces that are expected to receive and/or send data, and a description of port functionality and whether the ports are incoming or outgoing (note that unused ports should be disabled)
• Sufficiently detailed system diagrams for end-users

The manufacturer must include technical documentation pertaining to installation, configuration of the device, technical requirements for their operating environments. This is particularly important for safe and secure use by the user. The information must entail the following elements:

• Guidance to users regarding the supporting infrastructure requirements
• Description of the device’s secure configuration that may include end point protections such as anti-malware, firewall/firewall rules, whitelisting, security event parameters, logging parameters, physical security detection, etc.
• Technical instructions to permit secure network (connected) deployment and servicing, and instructions for users on how to respond upon detection of a cybersecurity vulnerability or incident, where appropriate
• A description of how the device or supporting systems will notify the user when anomalous conditions are detected (i.e., security events), where feasible
• A description of the methods for retention and recovery of device configuration by an authenticated privileged user
• Where appropriate, security risks and consequences of changes to the security configuration, or to the use environment A description of systematic procedures for authorized users to download and install updates from the manufacturer
• Information concerning device cybersecurity end of support
• A Software Bill of Materials (SBOM) to inform and support operators regarding the cybersecurity of commercial, open source, or off-the-shelf software components which are included in the medical device

• Requirement to document and summarize activities related to cybersecurity
• Premarket authorization requires manufacturers to submit the device’s design features, risk management activities, testing, labeling and evidence of a plan to monitor and respond to emerging threats throughout the product’s life cycle in relation to cybersecurity

The reference section of the IMDRF guidance cites 2 standards:

1. UL 2900-1:2017 covering software cybersecurity for network-connected medical devices
2. UL 2900-2-1:2017 for requirements particular to network-connectable healthcare and wellness system components

Inclusion of these standards in the guidance indicates that these standards have become trusted indicators of cybersecurity risk management for connected devices.

The potential vulnerability posed by connected medical devices to cyberthreats is a growing concern to the healthcare industry. Inability to address the risks associated with compromised medical devices can stage devastating consequences for patients and healthcare providers. The IMDRF guidance focusses on shared responsibility amongst all industry participants and stakeholders, including healthcare institutions, healthcare providers, medical device developers and manufacturers, and patients and consumers for effective cybersecurity measures. Therefore, it is incumbent upon medical device manufacturers to work diligently to design mitigations for cyberthreats into the earliest stages of product development, and to implement effective post-market programs designed to identify and address new threats as they emerge.

Celegence experts can provide you with an overview on the general principles of medical device cybersecurity, including a  number of recommendations for stakeholders regarding best practices in the pre-market and post-market management of medical device cybersecurity.