Medical device cybersecurity: Conformity assessments 

The ongoing digitization in healthcare is populating the market with new opportunities for Medical Device Manufacturers (MDMs) and improvements in patient care. With this development, new types of safety, security and privacy risks to medical devices are becoming more prominent. To ensure the security of new medical devices, state-of-the-art regulatory frameworks are mandatory.

The number of requirements and guidelines for MDMs can be staggering. This article covers some of the new industry developments, discussing the best practice documents and the implementation of the guidances.

What you need to know about the conformity assessments

The European Association for Medical Devices of Notified Bodies (Team NB) released a position paper intended to help the conformity assessments of cybersecurity to become as efficient as possible whilst maintaining the quality.

The position paper outlines the harmonization of regulatory requirements, bringing coherency and consistency to the competitiveness of cybersecurity within the European and international markets.

What are the recommendations from Team NB?

In order to meet the requirements of the conformity assessments, Team NB recommends the harmonization of the following:

Recommendations from Team NB

1. Adoption of standards

The standard IEC 81001-5-1 is state-of-the-art and is expected to be harmonized by the European Commission in the coming months. Similarly, IEC TR 60601-4-5 is also being used to record the security specifications of new medical devices.

2. Approach to security risk assessments

Ideally, the security risk assessment should include a threat modeling technique (take STRIDE for example), as well as an integration to an EN ISO 14971 risk management framework. This combination will help to ensure that the relevant threats are covered. In addition to threat modeling and risk management, Common Vulnerability Scoring Systems (CVSS) and self-defined matrices are also good methods to use for scoring the threats of medical devices.

3. Penetration test requirements

Pen testing for medical devices is used primarily for validation and security verification, and it is recommended that it is conducted throughout the product life cycle. MDMs should qualify their penetration testing labs according to their quality management system requirements to ensure the testers possess the appropriate skills to achieve the desired depth and coverage throughout the process.

4. A secure development lifecycle

Cybersecurity of medical devices should be considered as early on as possible in the development stage, but also maintained throughout the development and into the late phases of the product lifecycle. Whether the device will undergo the multiplication of software, delivery, or be deinstalled and disposed of, IEC 81001-5-1 should be at the forefront of consideration in adapting a Secure Development Lifecycle (SDL).

5. Post market surveillance 

Post Market Surveillance (PMS) should be applied to all medical devices in accordance with the Medical Device Coordination Group (MDCG) 2019-16 guidance document. There is a high probability that the compliance with, and effectiveness of, cybersecurity PMS will become part of the conformity assessment for regulation audits set out by the NBs for both MDR and IVDR.

Do you need to ensure compliance with all these documents?

Team NB released a Position Paper highlighting that the MDCG guidance will not be introducing new legislative requirements, rather they intend to give further guidance to the main contributing stakeholders, specifically medical device manufacturers and notified bodies.

The paper goes on to detail important changes to MDR and IVDR:

  • MDR/IVDR Annex VII, 4.5.1 requirement: The NB shall take Common Specifications (CS) into consideration, where relevant, as well as guidance, harmonized standards and best practice documents even when MDMs do not claim to be in compliance.
  • MDR/IVDR Annex VII, 1.6.2 requirement: The NB shall take guidance and best practice documents into consideration.

To conclude, going forward all stakeholders shall take available CS, best practice documents and harmonized standards into consideration when ensuring compliance with MDR and IVDR documents.

Do you need assistance in navigating the medical device conformity assessments?

Reach out to us and let’s talk!