Cybersecurity for Medical Devices

By Guillaume Promé
Nov. 5, 2021 Risk management, Software

Cybersecurity is a major new issue for manufacturers of Medical Devices (MD) that embed (or are) software, it also concerns organizations that store and handle sensitive data (typically: personal health data).

Technology creates new risks of attack, which must be managed through a cybersecurity process.

The task is complex, but the good news is that medical device manufacturers already have all the tools (processes) to tackle this challenge.

This article gives the state of the art in medical device cybersecurity, to provide an overall view of a cybersecurity management process.

A review of vigilance issues associated with cybersecurity is proposed at the end of the article.

What Medical Devices are concerned by Cybersecurity?

Security issues are applicable to any medical device software and particularly to any connected medical device.

Therefore, cybersecurity should not be limited to Internet-connected MDs: a simple USB port or a simple programming interface can be entry points for attacks!

Regulatory and normative context in medical devices cybersecurity

Regulation (EU) 2017/745

The requirements are of course to be found in Regulation (EU) 2017/745, Annex I proposes general requirements applicable to software, Annex II details the expectations of the technical file. Some requirements echo cybersecurity:

developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security (…) set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access (…) testing performed both in-house and in a simulated or actual user environment (…) different hardware configurations and, where applicable, operating systems identified in the information supplied (…)

Guidelines for the cybersecurity of medical devices

While an MDCG guide for cybersecurity is feverishly awaited, we currently have many guides (and requirements) available, written by relevant authorities very concerned about the subject:

  • IMDRF: IMDRF Guide for Cybersecurity
  • ANSM: Guide on the cybersecurity of medical devices
  • Health Canada: Guidance Document for Medical Device Cybersecurity
  • TGA: Guidance on “Medical device cybersecurity guidance for industry”
  • FDA: Guidance on “Cybersecurity”

You can also consult the work of scholarly societies: ENISA, ANSII (and its EBIOS method) and NIST in particular.

Standards for the cybersecurity of medical devices

  • The AAMI TIR57 standard is certainly the most comprehensive
  • The UL 2900-1 and UL 2900-2-1 standards (MD connected to a network) offer testing, a UL certificate can be obtained via an approved laboratory
  • ISO/TC 215 committee standards (including the IEC 80001-x-x series)

Cybersecurity: a matter of risk management

Before defining a cybersecurity management process, you need to understand that these activities are in fact risk management activities, the vocabulary used in cybersecurity should convince you of this:

Cybersecurity is about managing computer threats (risks).

Threats are associated with computer vulnerabilities (hazards).

A threat materializes in a computer attack (the dangerous situation), which may result in harm (patient or even just data in case of regulatory consequences).

It will therefore be a question of managing cybersecurity risks: identifying them, controlling them and monitoring them.

The objectives of cybersecurity

In addition to the general objectives of performance and security, it will be necessary – when handling data/information – to take into account the 4 main objectives of information systems security :

  1. Guarantee confidentiality
  2. Guarantee the integrity of data
  3. Guarantee the accessibility
  4. Guarantee the auditability of the system

Cybersecurity management process

It is highly recommended that you manage a dedicated cybersecurity procedure, otherwise integrate the requirements into your risk management or software lifecycle procedure.

Your system is already substantial, cybersecurity will use many of your existing processes :

The Flowchart below highlights the cybersecurity activities, most often shared with other processes:

Flowchart of cybersecurity activities and link to other activities

The stages in the cybersecurity management process are as follows:

  1. Planning
  2. Contextualization
  3. Identification of risks
  4. Risk assessment: according to ISO 14971 and, if needed, according to cybersecurity-specific methods, such as the Computer Vulnerability Score: CVSS
  5. Control of risks
  6. Design and development
  7. Verification, laboratory testing is possible
  8. Validation, including Usability Engineering testing
  9. Management of information provided
  10. Post-market surveillance and watch
  11. Corrective and preventive actions (including updates, patching, communication about cybersecurity issues…) the computer vulnerability score: CVSS

These activities will be implemented according to a risk-based approach: an initial Risk Analysis will quantify the cybersecurity risks, your work will be legitimately proportionate to these risks.

Analysis of actual cybersecurity-related vigilance events

An analysis of vigilance events leads to considerably weighted cybersecurity issues in the medical device sector: alerts are rare and exclusively preventive.

Vigilance events most often involve large companies, with AIMD (Active Implantable Medical Device) being particularly targeted.

Problems target opportunities for unauthorized access, malicious reprogramming and authentication bypass. The causes are frequently attributable to the means of communication or reprogramming and the operating system.

It is interesting to go further, the site (French) has a section dedicated to the watch for health alerts, with events most often without consequences:

  • 28% of alerts concern medical devices, 72% concern Health Institutions
  • MDs are victims of “vulnerabilities”
  • Only 7% of events are attacks by hackers
  • 2% fishing, 12% ransomware
  • 17% of alerts involve compromised databases
  • 16% of alerts were as a result of data leaks
  • The causes, apart from technical problems, are varied: human error (4%),  email hacking (4%) even hardware theft (3%)