Did you know that cybersecurity is addressed under ISO 13485:2016 Clause 7.3 requirements?
The Royal Academy of Engineering (RAE UK) report ‘Cyber Safety and Resilience’ (March 2018) suggests that the healthcare sector can learn from other industries when it comes to guarding against ransomware attacks, data breaches and hacking of connected health devices. That was just the beginning. Since then the cyber threat to medical devices and the data they control or access has exploded as the IoT (internet of things, i.e. the interconnectivity of devices and the cloud-based systems used to manage them) inexorably grows.
Cyber Security Threats in the Context of Medical Device Management
Taking connected health devices as an example, the report suggests that there is a general lack of awareness in the healthcare sector on the threats posed, and even if they exist. But exist they do.
In 2016, the FDA said that the threat of medical device hacking is a growing concern, urging companies to take a proactive approach to plan for, and assessing, the cybersecurity of products once they reach the market.
In 2020 researchers from the University of Leuven in Belgium and the University of Birmingham in the UK found a way to hack into implanted medical devices, steal medical information, drain the device’s battery and even cause it to malfunction.
Manufacturers who have had cyber difficulties don't publicize the events and so evidence is hard to find. Hence, dates going back over five years.
The list of possible vulnerabilities is long
Medical devices, such as insulin pumps, pacemakers, infusion pumps, and diagnostic equipment, are increasingly becoming connected to networks and the internet, which opens them up to potential cyber threats. Ensuring the security of these devices is essential to protect patient safety, privacy, and the integrity of healthcare systems. Here are some vulnerabilities related to ISO 13485 cybersecurity for you to consider...
1. Risk Assessment: Manufacturers should conduct thorough risk assessments to identify potential vulnerabilities and threats in their devices. This includes considering how the device might be accessed or tampered with remotely.
2. Authentication and Access Control: Implement strong authentication mechanisms to ensure that only authorized personnel can access and configure the device. Use role-based access control to limit what different users can do.
3. Data Encryption: Ensure that data transmitted between the device and other systems is encrypted to protect patient information and prevent interception or tampering.
4. Software Updates and Patch Management: Keep the device's software up-to-date by regularly issuing patches and updates to address known vulnerabilities. Provide a mechanism for users to easily apply these updates.
5. Network Security: Medical devices should be designed to operate on secure networks. Use firewalls, intrusion detection systems, and other network security measures to protect against unauthorized access.
6. Physical Security: Physical access to the device should also be restricted. Prevent unauthorized users from physically tampering with or accessing the device.
7. Security by Design: Integrate security into the design and development of the device from the outset. Consider security throughout the product lifecycle, from concept to disposal.
8. Incident Response Plan: Develop and maintain an incident response plan to address cybersecurity breaches. This should include procedures for identifying, containing, and mitigating security incidents.
9. Regulatory Compliance: Ensure that your device complies with relevant regulatory standards and guidelines for cybersecurity in medical devices. In the United States, the FDA provides guidance on this topic.
10. User Education: Educate healthcare providers and end-users about the importance of cybersecurity and how to use the device securely. Promote best practices for password management and safe use.
11. Vendor Collaboration: Work with third-party vendors to ensure that any components or software used in your device meet security standards. Be aware of the supply chain security risks.
12. Continuous Monitoring: Continuously monitor the device and the network for signs of suspicious activity. Implement security monitoring and logging to detect and respond to potential threats.
13. Security Testing: Conduct regular security testing, including penetration testing and vulnerability assessments, to identify and address weaknesses in the device's security.
14. Legacy Device Management: For older devices that are no longer supported or updated, establish strategies to mitigate risks, such as network isolation or device replacement.
15. Patient Privacy: Safeguard patient privacy by ensuring that any data collected or transmitted by the device is handled in compliance with healthcare privacy laws (e.g., HIPAA in the United States).
Integrating Cyber Security with Medical Device Management
Cybersecurity is an integral part of our ISO 13485 training courses which recognizes that in medical devices cybersecurity is an ongoing process that requires collaboration between manufacturers, healthcare providers, regulatory agencies, and cybersecurity experts to ensure the safety and security of patients and healthcare systems. As technology evolves, so too should the security measures for medical devices to stay ahead of emerging threats.
But action is required immediately, and you can do so as part of your ISO 13485 implementation project.
ISO 13485:2016 Clause 7.3 Requirements
Clause 7.3 of ISO 13485:2016 includes the sub-clause 7.3.3, Design and development inputs, which states:
‘Inputs relating to product requirements shall be determined and records maintained (see 4.2.5). These inputs shall include:
- a) functional, performance, usability and safety requirements, according to the intended use;
- b) applicable regulatory requirements and standards;
- c) applicable output(s) of risk management;
- d) as appropriate, information derived from previous similar designs;
- e) other requirements essential for the design and development of the product and processes.
These inputs shall be reviewed for adequacy and approved.
Requirements shall be complete, unambiguous, able to be verified or validated, and not in conflict with each other.’
You can be certain that your Certification Body/Notified Body will interpret ‘c) applicable output(s) of risk management’ as requiring that cybersecurity aspects be addressed where your device transmits, receives and/or stores data.
Post-market Surveillance and Regulatory Guidance
Regulatory Authorities globally are now keenly aware of the havoc that cybercriminals could cause and the near certainty that they will do so. At the very minimum, your future Post-Market Surveillance must include the issue of cybersecurity and the protection of information relating to devices, the persons using them in addition to patient data. The topic and associated threats are vast and Regulators are struggling to prepare and issue official Guidance. Meantime you must address the issue starting with ensuring that data protection is part of your Medical Device Risk Management system.
Other Actions to consider
While compliance with its requirements would likely be ‘overkill’ in many instances, we would recommend that you examine ISO 27001, the information security standard, (and the companion standard, ISO 27002) for ideas on the types of controls that should be in place to protect both your product and the end-user/patient.