An ever increasing number of medical devices are being connected to hospital information networks via various types of connection (4G, Wi-Fi, Bluetooth and Ethernet). At the same time, more and more cases of issues associated with hacking, piracy and even theft of personal medical data are being reported in the media.
It is therefore appropriate to examine the current regulatory position vis-à-vis connected medical devices.
The European regulatory context of medical device cybersecurity
At the European level there are a number of directives covering medical devices: 93/42/EC on medical devices, 98/79/EC on in vitro medical devices and 90/385/EEC on active implantable medical devices.
These three directives set out the security requirements for medical devices and their required essential performance levels.
Although the concept of cybersecurity is not an explicit element of these current directives, a certain number of harmonized standards set out an initial level of requirements regarding the incorporation of such issues.
The life cycle process of medical device software (EN 62304:2006) includes certain security requirements. It requires a verification strategy to be defined (unitary testing, integration verification and software testing) in order to verify the effectiveness of the medical device's safety/security provisions. The software anomaly management process is also appropriate for monitoring bugs related to software cybersecurity.
Medical device risk management (EN 14971:2012) is based on identifying hazardous situations, assessing risk (probability and severity), implementing risk control measures and assessing the residual risk. This transversal approach can be used as a template for managing risks related to medical device cybersecurity. In practice, it provides documented analysis of the risks associated with any loss of integrity, loss of availability and, where applicable, loss of information confidentiality.
It should also be noted that French decree no. 2016-1214 dated 12 September 2016 defines the process for notifying any serious incidents affecting IT system security.
The US regulatory context of medical device cybersecurity
Within the context of its defined objectives, the FDA (Food and Drug Administration) has made a number of guidance documents available to connected medical device manufacturers.
Of particular note is the document entitled Cybersecurity for Networked Medical Devices Containing Off-The Shelf (OTS) Software.
The guide confirms the responsibility of the manufacturer regarding the cybersecurity of its medical device, and also confirms that the information feedback and corrective action processes are applicable in this context.
The document entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices dated 2 October 2014 confirms the integrated approach in terms of design, development and risk management.
Regarding the latter issue, it sets out a strategy based on:
- Identification of assets, threats and vulnerabilities;
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients.
It also refines the assessment of the likelihood of a threat and of a vulnerability being exploited.
The guidance document entitled Post Market Management of Cybersecurity in Medical Devices dated 28 December 2016 defines the cybersecurity management process in 5 areas (identify, protect, detect, respond and recover) from the approach set out by the NIST (National Institute of Standards and Technology - responsible for promoting the economy and developing technologies) and with regard to metrology and standards, in collaboration with the industry (Framework for Improving Critical Infrastructure Cybersecurity).
Finally, document AMI TIR 57 (2016) Principles for Medical Device Security sets out the pertinent state of the art for the analysis and assessment of cybersecurity risk within the framework of EN 14971:2012.
In conclusion, although these US and European systems leave significant room for improvement, they provide a starting point for the state of the art regarding the management of connected medical device cybersecurity issues.
The European regulation on medical devices published on 5 May 2017 identifies information security as one of the essential security and performance requirements of medical devices.