Medical Device Regulation: One year later

Connected medical devices, like all other computer systems, incorporate software that is vulnerable to threats. When medical device vulnerability management is not conducted and maintained properly, it can be exploited which can result in patient harm. So, we can say that medical device cybersecurity is a patient safety issue. And competent authorities think the same way.

With the Medical Device Regulation (MDR) requirements being already 12 months old, how do you make sure of your MDR cybersecurity regulatory compliance with medical device cybersecurity going forward?

What has changed with the Medical Device Regulation?

In May 2021, the EU began its progressive implementation of the MDR, aimed to change the legal framework for medical devices and introduce principle and supportive responsibilities for medicine regulatory authorities. The two updates regulations are MDR 745/2017 and IVDR 746/2017, which have replaced the initial three directives (93/42/EEC; 90/385/EEC and 98/97/EC).

What does it mean in practice? For any medical device now going to the market, manufacturers need to ensure their products meet either the MDR or IVDR requirements. If your products have been certified by the Medical Device Directive (MDD) before May 2021 or have received the certificate by the latest in May 2021, you will still have two years left to align with the regulations, with the final deadline being May 26, 2024.

MDR and IVDR aim to ensure that all medical devices released are fit for the new cybersecurity challenges and can be patched in the years to come. The documents detail new essential safety requirements for all medical devices with programmable systems, as well as Software as a Medical Device (SaMD).

What are the EU manufacturer requirements for medical device cybersecurity?

If you are looking to place your products on the market or put them into service, you need to have the conformity of your products assessed according to applicable procedures in the MDR or IVDR. Whichever conformity assessment procedure you choose, you need to create technical documentation set out in Annexes II and III of the two regulations to ensure that the essentials for Annex I for either regulation are met.

The Annex I cybersecurity requirements of the Medical Device Regulation deal with both premarket and post-market aspects.

Annex I for the two regulations states that:

• Your software should be developed in accordance with state-of-the-art, considering the principles of the development lifecycle and risk management as well as information security, verification and validation.
• You will also need to meet the minimum requirements for hardware, IT network characteristics and IT security measures. This will help protect against unauthorized access.
• All devices must be manufactured to protect as far into the future as possible, against unauthorized access that could hinder the device from functioning as intended.

How can you make sure your cybersecurity regulatory compliance?

The Medical Device Coordination Group (MDCG) developed a guidance document labelled MDCG 2019-16, to help manufacturers to comply with the MDR requirements on state-of-the-art and information security.

Specifically, to the EU, there are a couple extra legislative acts that apply in parallel to MDR. These include both the NIS Directive and GDPR legislative acts which are relevant to the medical device cybersecurity, as well as the operators dealing with the protection of personal data stored in medical devices. Furthermore, the EU Cybersecurity Act introduces a cybersecurity certification framework intended to strengthen the protection for ICT processes, products and services.

At a global level, it is best to refer to the Medical Device Cybersecurity Guide made by a working group as part of the International Medical Device Regulators Forum (IMDRF). The purpose of the MDCG is to promote a unified approach to medical device cybersecurity and to provide guidance for stakeholders across the device lifecycle.

How far along are you with your implementation?

Are you still in the process of aligning with cybersecurity regulatory compliance? Have you considered safety, security and effectiveness aspects throughout the entire lifecycle of your product? We have compiled a checklist for you:

• During the product lifecycle, have you established a ‘Defense in Depth’ strategy?
  • Have you planned, documented and executed the security-related activities through the product’s lifecycle?
  • Have you identified the security requirements of your product, for example, encryption, authorization, authentication and patching strategy?
  • Did you conduct security testing to ensure that all the security requirements have been met for the product?
  • Have you tested your product’s security updates and patches for regressions and made them available to the product users in a timely manner?

• Have you conducted a medical device security risk assessment?
  • Have you assigned responsibility for your medical device security risk assessment, or are you thinking about working with a supplier?
  • Have you identified the vulnerabilities and attack vectors?
  • Have you supported the likelihood of identified security scenarios through scoring systems like the Common Vulnerability Scoring System?
  • Have you considered the security risk’s impact on safety and effectiveness, or vice versa?
  • Have you established risk acceptance criteria?
  • Have you carried out a benefit risk analysis?
  • Have you documented all software components of a device and mitigated risks associated with these software components?

• Have you prepared a Software Bill of Materials (SBOM)?
  • Is your SBOM in industry-accepted formats?
  • Is your SBOM in a machine readable format?

• Have you developed a Total Product Life Cycle (TPLC) cybersecurity management plan?
  • Does your plan include processes like post-market vigilance, planned updates, patching, vulnerability disclosure policies and information sharing?

• Have you determined processes for Coordinated Vulnerability Disclosure?
  • Do you monitor cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risks?
  • Did you adopt the coordinated vulnerability disclosure policy?

• Have you prepared a medical device cybersecurity incident response?
  • Did you establish an incident response management policy?
  • Have you built an incident response team?

Do you require additional support?

If you need guidance with completing the medical device cybersecurity steps, we can help! Reach out to us and let’s start the conversation.