At the time of writing this article, towards the end of the annual three-day RAPS Euro Convergence 2021, the recurring theme of discussion at the conference revolved around the new European Union (EU) Medical Device Regulation (MDR) implementation. As the medical device sector prepares for sweeping new regulations, readiness for and compliance with EU MDR was the prime topic.
In the previous Medical Device Directive (MDD, 93/42/EEC) and Active Implantable Medical Device Directive (AIMDD, 90/385/EEC), the basis for approval was establishing conformity with the ‘Essential Requirements (ERs)’. Similarly, for the new EU MDR the keystone for compliance is conformity with the ‘General Safety and Performance Requirements (GSPRs), or Annex 1, formulated and expanded thematically.
CYBERSECURITY is a new area of emphasis in the MDR compared to the earlier Directives, as evidenced across the multiple safety and performance requirements.
The main reasons for such critical importance being paid to Cybersecurity is centred around the way improved healthcare, digital health services and connectivity in medical devices brought an increased threat of cyber-attack. In addition, cyberattacks aren’t just becoming more frequent, they’re also becoming more sophisticated.
Let’s deep-dive into some of the critical aspects of the new requirements linked to Cybersecurity and the transition timelines in the new EU MDR.
47 pages on Cybersecurity
Between the motive of causing patient harm, protected health information (PHI) disclosure attacks, personally identifiable information (PII), privacy fines under GDPR (in EU) and HIPAA (in the US), and reputational damage, cyberattack consequences are disastrous for any manufacturer. In line with the global regulatory principles, manufacturers of a medical device are expected to design and manufacture products that are safe, perform as intended, and have benefits that outweigh the risks.
From one sentence in the MDD that indirectly referred to (Cyber)security to nearly 47 pages on Cybersecurity requirements in the latest MDCG-2019-16 guidance document, we cannot emphasise enough the need for built-in Cybersecurity in medical devices beginning at the design stage.
EU MDR asserts that Cybersecurity is now a safety requirement.
The transition time to implement Cybersecurity for the medical device
industry has already passed.
Roadmap to Cybersecurity
There are multiple cybersecurity guidances across different regulatory jurisdiction, many of which overlap. Given this, it can be easy to get stuck on how to comply with a specific set of requirements for the EU or globally. Product (device-based requirement) and Process (ISO-134585 QMS) always exist. When it comes to Cybersecurity, as a rule of thumb for EU MDR, it’s best to understand the rationale of the regulatory compliance requirements and show conformity to the critical standards first. These include:
- EU MDR Annex I
- MDCG 2019-16: Guidance on Cybersecurity for Medical Devices
- IMDRF: Principles and Practices for Medical Device Cybersecurity
Security Risk Analysis
- ISO 14971-2019: Risk management to medical devices
- AAMI TIR-57: Principles for Medical Device Security-Risk Management
Security by Design
- IEC 62304: Medical device software: Software lifecycle processes
- IEC TR 60601-4-5 (tailoring of IEC EN 62443-4-2): Product requirements for cybersecurity medical device requirements
- IS0/IEC 80001-5-1 (tailoring of IEC EN 62443-4-1): Process standard for Cybersecurity, Health informatics safety, security and effectiveness
You’ll want to build the technical documentation (TD) for your medical device or a standalone software as a medical device (SaMD) and start talking to a Notified Body (NB) early and, if needed, get external cybersecurity experts to help to narrate the story from your end. It’s advisable to start from scratch to avoid complexities and the mess of updating in future. You can create consistency during pre-market device registration by enlarging the view from a secure product lifecycle approach and considering post-market requirements.
Security risk assessment is critical
The next logical question would be: since so many cybersecurity guides and various security threats discovered each day, how does a company even get started? A good starting place for compliance with EU requirements can be the MDCG 2019-16: Guidance on Cybersecurity.
Let’s review the general safety and performance requirements with a focus on Cybersecurity.
MDR request manufacturers of medical devices to consider the state of the art when designing, developing and upgrading medical devices across their life cycle.
Two key EU MDR takeaways:
1. Security risk management needs to be conducted under MDR
The security risk management process has the same elements as the safety risk management process. A good approach is to extend existing risk management methodology and requirements from ISO 14971 to security risks. One of the exceptional security risk assessment techniques, Threat modelling, is a systematic approach and an invaluable technique to conduct security risk management.
2. Penetration testing and vulnerability scanning needs to be conducted under MDR
MDCG guidance also refers to secure design & manufacture, and the primary means of security verification and validation is testing. Methods can include security feature testing, fuzz testing, vulnerability scanning and penetration testing. A penetration test is a must-have requirement, ideally with external expertise and evidence of vulnerability scanning conducted.
MDR Transition Timelines: Placing on Market
The EU MDR is a new set of new regulatory requirements covering the distribution of medical devices in Europe; compliance will be mandatory for companies wanting to sell their products in the EU. MDR comes into effect 26 May 2021, after a one-year delay related to the public health emergency of the COVID-19 pandemic. The derogation period lasts until 26 May 2024, until which manufacturers in the EU can supply the current legacy devices (with valid MDD cert).
All classes of devices are included and will be checked by Notified Bodies (NBs). Devices with a valid certificate/declaration of conformity (DOC) under MDD/AIMD may be placed on the EU market and put into service. But, after the date of application (DOA), 26 May 2021, under certain conditions no significant changes to the design or the intended purpose of a device can be performed.
With such complex requirements and changes to track over the next four years, it helps to have a regulation-ready trusted cybersecurity partner to launch new products in the market and maintain the devices throughout the product lifecycle.
Notified Bodies play an even more critical role in the EU MDR than the previous MDD. Currently, there are 20 approved MDR NBs and only 4 IVDR NBs. Therefore, it’s imporant to start early to plan your discussions with a NB and incorporate cybersecurity consideration from the early design phase.
And, don’t forget about EUDAMED for post-market surveillance & vigilance and compliance with obligations for Economic operators (Manufacturers, Importers, Distributors).
In summary, mitigate cybersecurity risks and keep patients and clinicians safe. Start with security risk assessment and planning for a secure by design approach during the early product development stage. Medical device cybersecurity measures begin with moving away from the testing and patch approach to creating a secure development lifecycle. Moving forward, device manufacturers must now consider security from the start of the device creation process, right through to the end of a product’s lifetime
At Irdeto Connected Health, we help early-stage companies, SMEs and established connected health device manufacturers build secure products and ensure they are properly mitigating cyber risks for the lifecycle of their products.