New gui­dance docu­ment on cyber­se­cu­ri­ty for medi­cal devices

The “Gui­dance on Cyber­se­cu­ri­ty for medi­cal devices,” published in Decem­ber 2019 by the MDCG, is desi­gned to ser­ve as an aid for medi­cal devices manu­fac­tu­r­ers in com­ply­ing with cybersecurity-specific requi­re­ments, par­ti­cu­lar­ly tho­se found in Annex I of (new) Regu­la­ti­ons (EU) 2017/745 (the MDR) and (EU) 2017/746 (the IVDR). 

For the most part, the gui­dance docu­ment pres­ents basic con­cepts in cyber­se­cu­ri­ty and makes clear that cyber­se­cu­ri­ty must be regard­ed as part of the fun­da­men­tal requi­re­ments for the gene­ral safe­ty and effec­ti­ve­ness of medi­cal devices. Accor­din­gly, the docu­ment makes refe­rence to the regu­la­to­ry requi­re­ments of the MDR and IVDR which are of rele­van­ce for medi­cal devices manu­fac­tu­r­ers while at the same time offe­ring hints for the imple­men­ta­ti­on of aspects rela­ting to cybersecurity.

The gui­dance docu­ment sta­tes that gene­ral IT secu­ri­ty is of cen­tral importance for all aspects of cyber­se­cu­ri­ty and that it is to be asses­sed depen­ding on the product’s risk, inten­ded use and ope­ra­ting envi­ron­ment. It also notes that the goals of pro­duct safe­ty, secu­ri­ty and effec­ti­ve­ness are to be kept in mind at all times when desig­ning secu­ri­ty mecha­nisms for medi­cal devices and in-vitro diagnostics.

A signi­fi­cant part of cyber­se­cu­ri­ty is risk pre­ven­ti­on. What this means for medi­cal device manu­fac­tu­r­ers is that secu­ri­ty mecha­nisms have to be imple­men­ted in the product’s deve­lo­p­ment pha­se, and not only in the manu­fac­tu­ring pro­cess.  Such mecha­nisms include, abo­ve all:

• secu­re design,
• a secu­ri­ty risk manage­ment system,
• secu­ri­ty capabilities,
• a stan­dar­di­zed secu­ri­ty risk assessment,
• a secu­ri­ty bene­fit risk analysis,
• mini­mum IT requi­re­ments, and
• vali­da­ti­on and veri­fi­ca­ti­on throug­hout the pro­duct life cycle.

The gui­dance docu­ment also points out that cyber­se­cu­ri­ty aspects may be of rele­van­ce for docu­men­ta­ti­on and in draf­ting ins­truc­tions for use. Pro­duct docu­men­ta­ti­on must include e.g. secu­ri­ty requi­re­ments to ensu­re safe­ty and pro­duct effec­ti­ve­ness: this includes cyber­se­cu­ri­ty! In addi­ti­on, the ins­truc­tions for use which are pro­vi­ded with medi­cal devices must include infor­ma­ti­on rela­ting spe­ci­fi­cal­ly to cyber­se­cu­ri­ty, such as infor­ma­ti­on rela­ting to pro­duct instal­la­ti­on or step-by-step ins­truc­tions for deploy­ing secu­ri­ty updates. The spe­ci­fic shape which the­se requi­re­ments take in each case depends on the secu­ri­ty risk, the ope­ra­ting envi­ron­ment and the spe­ci­fic product.

In addi­ti­on to pre­ven­ti­on and docu­men­ta­ti­on requi­re­ments, medi­cal device manu­fac­tu­r­ers also have to satis­fy post-market sur­veil­lan­ce requi­re­ments, inclu­ding con­ti­nuous moni­to­ring and reme­dia­ti­on of cyber­se­cu­ri­ty vulnerabilities.

The spe­ci­fic (cyber­se­cu­ri­ty) requi­re­ments for each medi­cal device and manu­fac­tu­rer depend on the spe­ci­fic situa­ti­on in each case, par­ti­cu­lar­ly the product’s inten­ded use, reason­ab­ly fore­seeable misu­se and ope­ra­ting envi­ron­ment. For this reason, the gui­dance docu­ment notes that manu­fac­tu­r­ers should include cyber­se­cu­ri­ty ques­ti­ons in their risk assess­ments from the very begin­ning, in other words from the deve­lo­p­ment pha­se, and should con­ti­nue to do so throug­hout the product’s life cycle.

As medi­cal devices beco­me incre­asing­ly digi­ti­zed and con­nec­ted, this gui­dance docu­ment illus­tra­tes to manu­fac­tu­r­ers once again and with par­ti­cu­lar urgen­cy that cyber­se­cu­ri­ty is an essen­ti­al part of pro­duct safe­ty and one that may not be negle­c­ted at any point during the product’s life cycle if the pro­duct is to com­ply with regulations.