Introduction
The last decades have been surrounded by many cybersecurity attacks around the world, many of them in Hospitals or Medical Devices. For example, on September 12th, 2022, the FBI warned that many medical devices with outdated software could be targeted.
For this reason, many Regulatory Organizations, such as the Food and Drug Administration (FDA) in the USA or the European Commission in the European Union have defined different regulations to get enough information about the medical device and their security.
Therefore, the scope of this post is to introduce those regulations with a brief description and comparison with their predecessors.
European Commission regulations
The relevant regulation related to medical devices released was the Council Directive 93/42/EEC (MDD) in June 1993. This directive has the CE marking as proof that all regulation requirements have been met.
The general requirement for a medical device is that it needs to be safe for patients, users and people involved when it’s properly installed, maintained, and used. That’s why categories and requirements have been defined for each one of them. Any medical device that negatively affects people’s health must remove its CE mark.
Since May 26, 2021, the Regulation (EU) 2017/745 (MDR) on medical devices is in effect. This regulation replaced the aforementioned directive.
This new regulation aims to improve the quality, safety, and reliability of medical devices, reinforcing the transparency of information and market surveillance after the device has been released.
This new regulation uses the same concepts and requirements as the directive. However, it has evolved by adding the following requirements:
- The technical file has changed its structure and level of detail.
- A “person responsible for regulatory compliance” must be appointed by the manufacturer.
- New/revised procedures to be implemented to handle new requirements including entering information into the databases.
- Strengthened requirements for post-market surveillance, clinical evaluation, and clinical investigations.
- “Summary of safety and clinical performance” requirement added for Class III devices and implantable devices.
- The conformity assessment system as it is in the MDD is maintained. Some changes have been made to the classification rules and some products are now assigned to a higher class, requiring a more demanding conformity assessment process.
- Implementation of unique device identification systems (UDI) process and marking.
Even though the directives and regulations described are not directly related to cybersecurity, they are relevant to the development and security of medical devices.
FDA Guidance
The FDA has been more active regarding cybersecurity due to the large amounts of cyberattacks the USA has suffered.
The first guidance related to this matter was “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”. This document was released in January 2005.
This guidance was released due to the growing number of medical devices designed to be connected to computer networks and the use of off-the-shelf software and it was centred on OTS software and the appropriate actions to prevent malicious events, the importance of validating any software change to maintain the same functionality on the device and providing sufficient information when a patch has been delivered.
In 2016 the “Postmarket Management of Cybersecurity in Medical Devices” guidance was released. This time, the guidance was focused on defining a structured and comprehensive management of postmarket cybersecurity vulnerabilities for marketed and distributed medical devices throughout the product life cycle. This includes the detection and correction of inadvertent incorporation of vulnerabilities during the design of the medical device.
In October 2018, the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Draft Guidance for Industry and Food and Drug Administration Staff” guidance was released. This was the first draft of the current guidance for premarket submissions.
The FDA emphasizes the use of a device design that allows addressing the intended use, user needs and cybersecurity issues. Furthermore, manufacturers are motivated to use a risk-based approach in defining the design features and level of cybersecurity resilience for the medical device, including labelling of the device.
Trustworthy device concept which means the medical device is reasonably secure in cybersecurity issues, functions as it should and covers the generally accepted security procedures.
The last release of the FDA about cybersecurity is “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” in September 2023.
A lot has changed when comparing this last release with its first draft. The first draft was more like a checklist, while this last release requires the manufacturer to have an explicit procedure to follow along with the guidance.
Here are some of the key points of this new release:
- The manufacturers must establish a quality system to ensure that the medical device consistently meets applicable requirements and specifications. The use of a Secure Product Development Framework (SPDF) is recommended. The use of an SPDF is useful since it provides a major overview of how threats can act on the device. Cybersecurity issues will be always considered as the implementation of cybersecurity testing.
- The basic security objectives are authenticity (including integrity), authorization, availability, confidentiality, security and timely adaptability and patchability. The manufacturer should provide information on how these objectives are implemented in the device design.
- The information about the device’s cybersecurity controls should be accessible to device users.
- Device cybersecurity design and documentation should be made according to the cybersecurity risk that the medical device could have.
Conclusion
As the complexity of medical devices grows, more regulations have been developed as it is described above.
At first, most of them were subject to the manufacturer’s interpretation, creating differences between a variety of medical devices. Now, the regulatory organizations have been more specific on what they expect from the medical device manufacturers and the regulations are clearer and more defined.
The regulations will evolve to less ambiguous and more objective terms. Most of them will require a procedure to be compliant. Finally, the standards will be clearer, and it will be easy to understand its principles.