Mobile health apps and medical device software represent a booming market. Many mobile health apps are sold through smartphone app stores. At the same time, more and more medical devices are connected to hospital networks for the purposes of remote maintenance or periodic monitoring of their functioning.
The media spoke regularly about these technologies over the last few years. One prominent case involved a hacked insulin pump in 2011. Microsoft ending the support of Windows XP operating system technical support is another instance that calls into question the cycbersecurity of the software that is run on the operating system.
More recently, the Heartbleed software vulnerability caught security expert’s attention for its security failure on openSSL, and the recent hacking of Sony’s email servers laid bare that even the best-laid plans can go awry.
All of these examples highlight the importance of cybersecurity for medical devices.
But when we talk about cybersecurity of medical devices, what exactly do we mean? Information security aims to guarantee the availability, integrity and confidentiality of data stored, processed or transmitted.
A guide and standards to provide a framework for cybersecurity
The American approach to medical device cybersecurity is detailed in an FDA guidance document, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, published on Oct 2nd, 2014.
This guide indicates that the risk management process of a medical device must be used to respond to cybersecurity risks. The risk management process identifies the actives, threats and vulnerabilities, evaluates their impact and their likelihood, determines strategies for risk reduction, and evaluates residual risks and their acceptance criteria.
During a medical devices design phase, five essential functions concerning their cybersecurity must take into account: identify, protect, detect, and recover.
This approach is completely relevant in the context of European regulation on medical devices.
Furthermore, the FDA guidance document Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software confirms that the feedback process must allow the manufacturer to detect security failures in its device. It also states that the corrective and preventative action process must allow the implementation of the necessary actions to correct cybersecurity problems.
In addition, the harmonized standard EN 62304 structures the medical device software development cycle.
The required processes in this standard are applicable to problems of cybersecurity in medical devices. For example, the software defect management process provides an inventory of the vulnerabilities of and threats posed by medical device software.
The software maintenance process helps to implement responses to these cybersecurity problems. The external software components, which can potentially present security failures, are treated in the software development cycle as SOUP - Software Of Unknown Provenance.
As part of EN 62304, these SOUP are described in the software system architecture and will be assigned a safety class on the basis of the security criteria defined in the standard. Within the software requirements, there are security requirements which include communication integrity, authorization, and audit recording requirements, and requirements regarding compromises in terms of sensitive data. EN 62304 Amendment 1 confirms the importance of cybersecurity, which includes a new example of this type of requirement (virus and malware).
To supplement EN 62304, which covers medical device software, it is also necessary to consider the risk management strategy for the information technology networks to which the medical devices are connected.
This risk management is described in standard EN 80001-1 from August 2011. This standard defines the functions, responsibilities and activities required for this type of risk management. It is important to fully understand that even though the organization who owns the risk management process (healthcare organization, hospital, clinic, etc.) is responsible, the medical device manufacturer has responsibilities with regard to the network security of its medical device.
One if its main responsibilities is to supply instructions for the appropriate implementation of network connections relating to:
• the required characteristics of the network incorporating the medical device;
• the required network configurations;
• the technical specifications of the medical device's network connection, including security-related specifications;
• the intended flow of information between the medical device, the network and the other medical devices on the network;
• a list of hazardous situations during which the network does not possess the required characteristics to meet the connection needs of a medical device to the network.
Though it is not a harmonized standard, EN 80001-1 is the most up-to-date standard in terms of risk management for connected medical devices, and as such represents the state-of-the-art to be taken into account for autonomous software. It should be noted that for electro-medical devices, these requirements to provide instructions concerning network connections are included in their entirety in amendment 1 2014 of standard NF EN 60601-1 3rd edition.
Whether in the American or European context, a number of tools exist today within the regulations to take into account issues relating to the cybersecurity of medical devices. As a notified body, the LNE/G-MED considers all issues relating to the cybersecurity of medical devices to be a major issue, expected to grow in the coming years considering the evolution of information technologies in the field of healthcare.