In light of the growing concern over cybersecurity and the increasing complexity of medical device supply chains, the Medical Device Coordination Group has released updated guidance on cybersecurity for medical devices (the Guidance) (link here). The Guidance is intended to supplement the essential requirements listed in Annex I of the Medical Devices Regulations (Regulations 745/2017 and 746/2017) (link here). We have summarised below the key points in this Guidance.
The Guidance is targeted at manufacturers of medical devices. Generally, under the Medical Devices Regulations, manufacturers are required to develop their products in accordance with the state of the art, taking into account risk management principles, including operation, IT and information security.
- Pre-market and post-market cybersecurity activities: under the Medical Devices Regulations, manufacturers are required to conduct pre-market activities such as establishing risk control measures, secure designs, clinical evaluation processes and conformity assessments. For post-market activities, manufacturers should modify their risk control measures, perform further risk assessments and update their post-market surveillance plans/systems as necessary.
- Clarification of cybersecurity concepts: the Guidance elaborates in detail on important concepts such as IT security, information security, and operation security. Devices should be safe and effective – any risks associated with the operation of medical devices must be acceptable so as to enable a high level of protection of health and safety. In addition, manufacturers should consider cybersecurity requirements in accordance with the nature of the device, including the device type and intended use of communication technologies; anticipate any reasonably foreseeable misuse; and, lastly, work with other stakeholders such as integrators, operators, and users to ensure effective implementation.
- Secure design and manufacture – ‘secure by design’: manufacturers must consider safety, security and effectiveness at an early stage of development and throughout the entire life cycle. A security/safety risk management process should be in place, documenting and evaluating all the security risks, and stating its impact on security as part of the risk assessment. The Guidance also provides an indicative list of security capabilities for medical devices, such as automatic logoff and emergency access. It is also an explicit requirement under Annex I of the Medical Devices Regulations to carry out an overall benefit risk analysis.
- Documentation and instructions for use: manufacturers should provide technical documentation containing information that demonstrates conformity with the general safety and performance requirements in Annex I of the Medical Devices Regulations. This includes information to be provided to health care providers regarding the intended use environment. In addition, the documentation should be updated with information raised through the manufacturers’ post-market surveillance system related to the handling and remediation of cybersecurity incidents and vulnerabilities.
- Post-market surveillance and vigilance: lastly, as cybersecurity vulnerabilities change and evolve, manufacturers should have in place a post-market surveillance programme, which they should regularly update. The Guidance recommends addressing the following in the programme: operation of the device in the intended environment; sharing and dissemination of cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors; vulnerability remediation; and incident response.
The Guidance provides a useful illustration of how manufacturers should comply with their obligations under the Medical Devices Regulations, and will be of great importance to modern manufacturers intending to incorporate new technology in their products.