Cybersecurity – Is Your Device Software Secure?
In July 2019 the Australian Therapeutic Goods Administration (TGA) recently released their Medical device cybersecurity guidance for industry. This is the first guidance from the TGA on this topic which highlights the growing concern of regulators around cybersecurity risks associated with devices/IVDs incorporating software or Software as Medical Devices (SaMDs).
Connectivity and digitisation of medical device technologies bring a range of benefits to the use and functionality of those devices. However, connected devices can also present a risk of cyber threats that can potentially lead to harm to patients. These may include:
• Interruption or denial of intended service or therapy
• Changes to device function to directly cause patient harm
• Loss of privacy or personal health data being compromised
The guidance therefore discusses how cyber-security considerations can be integrated in the safety and efficacy requirements of medical devices.
Essential Principles & Relevant Standards
Essential Principles define the key regulatory requirements for product safety and effectiveness. In the case of connected device, the following assumptions are given in the guidance document when assessing device compliance with the Essential Principles:
• Medical devices and associated networks they operate in can never be completely cyber-secure due to the shared responsibility of cybersecurity, medical device users may represent a potential threat.
• Medical devices can be used by an attacker as a threat vector into their associated networks.
• The cybersecurity threat landscape is rapidly evolving and requires constant monitoring and appropriate corrective and preventative action from medical device manufacturers and sponsors.
• Potential harm to patients and users from an adverse medical device cybersecurity event could clearly include physical harm (e.g. a device no longer operating as intended) or other consequences for example, psychological harm, incorrect diagnosis, breaches of privacy through the disclosure of personal information, or financial consequences.
• Personal health data, including data collected from medical devices, presents a lucrative target for malicious activity, requiring secure storage and transmission solutions.
• Clinical use of the device is often considerably longer than the expected lifespan of the technology that allows its operation (e.g. software and connectivity hardware), and this technology often receives less frequent patches over time or becomes officially unsupported.
During the risk management process, the Essential Principles should therefore be mapped to risk & hazard analyses in the context of cybersecurity. The TGA guidance document provides a table of relevant Essential Principles and examples of cybersecurity risks.
Implementation of the following standards may also build the framework required to mitigate those risks and align with the Regulatory Essential Principles:
• ISO 14971 Medical Devices. Application of Risk Management to Medical Devices
• ISO 13485 Medical devices — Quality management systems — Requirements for regulatory purposes
• IEC 62304 Medical device software — Software life cycle processes
• IEC 60601 series Safety and essential performance of medical electrical equipment
• IEC 62366-1 Medical devices — Part 1: Application of usability engineering to medical devices
• UL 2900 series Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements
• IEC 80001 series Application of risk management for IT-networks incorporating medical devices — Part 1: Roles, responsibilities and activities
The most common and widely accepted standard to show compliance to medical device risks is the application of ISO14971 Application of Risk Management to Medical Devices which provides an accepted process for risk management. In addition, the USA’s National Institute of Standards and Technology’s (NIST) cybersecurity framework provides inputs to cybersecurity considerations.
The risk management program shall evaluate cybersecurity risks that could compromise the health and safety of a patient, user or any other person, as with other risks for medical devices.
In implementing mitigations, consider:
• Modularised design architecture: A modularised approach ensures medical devices that can be updated and adapted to changes in the cybersecurity risk profile.
• Cybersecurity assessment and penetration testing: Implement penetration testing initiatives to validate the effectiveness of cybersecurity measures and identify unknown vulnerabilities
• Operating platform security: Assess the cybersecurity of third-party operating systems and hardware platforms. This is critical for software which is intended to operate on a consumer mobile device or utilise a web or cloud service.
• Update pathways: Consideration should be made to risks associated with available software update/patch methods and pathways, whether applied manually, remotely, continuously updating using cloud/virtual systems, or another approach.
• Trusted access and content provision: It is highly recommended to implement trusted access functions for network connected devices to prevent unauthorised access and to reduce cybersecurity risk.
In addition, risk management strategies should include a continuous approach for identifying, estimating and reducing cybersecurity risks, such as assessing and mitigating vulnerabilities when they are identified by the manufacturer or in the public domain.
Prior to market release of the medical device software (Pre-market) the cybersecurity risks must be addressed during the design and development process with the following main considerations:
• General considerations: development approach; administration protocols; application of standards; risk management strategies; infrastructure, manufacturing and supply chain management; and provision of information for users.
• Technical considerations: cybersecurity penetration testing; modularised design architecture; operating platform security; emerging software; and Trusted access and content provision.
• Environmental considerations: based on the device’s intended use, such as connecting to networks, and uploading or downloading data.
• Physical considerations: Mechanical locks on devices and interfaces, physically securing networks, secure waste management.
• Social considerations: Designing out or minimising social-engineering threats (e.g., phishing, impersonation, baiting, tailgating)
There are two approaches that assist in understanding cybersecurity risk as early as possible and to reduce cybersecurity risk throughout the design and development phases. These approaches also aid in compliance with the Essential Principles. They include:
• Secure by design: Identifying potential cybersecurity vulnerabilities & risks associated with the medical device during the initial design and development phase. The Software Assurance Forum for Excellence in Code (SAFECode) publishes information concerning secure software development.
• Quality by design: Understanding and mitigating the potential risks introduced with each function of the medical device, its manufacturing process and the environment in which the device is used. These risks may include cybersecurity, privacy, usability, safety and other associated risks.
After market release (Post-market) the manufacturers and sponsors are required to monitor and routinely conduct cybersecurity assessments and take action of any identified risks.
It is important to develop an understanding of the relationships between cybersecurity vulnerabilities, exploits, and threats (a useful diagram is presented in the TGA guidance) to understand what actions may be required in response to the changed medical device cybersecurity risk profile, i.e. a device recall, safety alert, routine update or an adverse event report to the TGA.
Cybersecurity applies to the software’s total product life cycle (TPLC), from the initial conception to development and testing, market authorisation, post-market use, and through to end-of-life and obsolescence.
A development process such as that described in IEC 62304 Medical device software — Software life cycle processes provides an adequate framework for cybersecurity.
Product life cycle must also be managed through successful implementation of a Quality Management System (QMS) such as ISO 13485. The QMS describes key processes such as software development, risk management, change management, complaints and post-market monitoring procedures which are essential to lifecycle management of devices and their cybersecurity context.
If you have questions about how to navigate the use of standards and managing test programs, please reach out. We have a staff of consultants with extensive expertise. Whether it’s a TGA application, a strategy for MDR transition, a US presubmission or 510(k) filing, or specific help with regulatory documents (e.g. Clinical Evaluation Reports), or an update of your quality system to gain MDSAP. We understand you need a commercial approach which delivers viable options. Contact us to discuss your needs and how we can help. You can drop us an email [email protected] or call 1 888-271-5063 (US toll free) ♦ +61 2 9906 2984 (Sydney)