The complexity of medical device cybersecurity requirements: How to cope

Cybersecurity for medical devices is no longer an afterthought! The growing adoption of new medical devices with internet connectivity, as well as strong integration capabilities with modern electronic medical record and Health Delivery Organizations (HDO) information systems, adds significant value in providing comprehensive and convenient healthcare services. These expanded capabilities bring utility, but also come with new potential security risks stemming from the increased connectivity.

Mitigating cybersecurity risks for medical devices is therefore increasingly a core focus area for regulators, who are driving the establishment of a consistent cybersecurity framework to better facilitate coordination among all parties involved. This emphasizes the importance of Medical Device Manufacturers (MDMs) being aware of and familiar with the latest requirements.

Why is cybersecurity important for MDMs and their medical devices? 

It’s not an exaggeration to say that medical device cybersecurity is one of the most important, yet complex, challenges for manufacturers today. It requires significant subject matter expertise across multiple disciplines, particularly in the technical aspects.

Aside from the requirement to secure personal identifiable information like many other industries, protecting medical devices have become more imperative than ever due to the direct impact on patient health. Attacks against these devices, may not only pose serious health risks for patients, but also result in financial losses for HDOs.

In addition, the heavy reliance of this industry on a complex software supply chain also adds another layer of cyber risks for medical devices, making this a more difficult task to manage. Each finished device is made up of various software components from different suppliers in multiple countries, compiled and maintained by a Software Bill of Materials (SBOM). This complicates the task of verifying the reliability and safety of each component, as well as ensuring that the finished device remains secure. When coupled with the element of connectivity, the challenge of keeping the device safe grows exponentially.

How complicated are medical device cybersecurity requirements? 

When the cyber risks become more complex, cybersecurity actions need to evolve at the same pace. For that reason, regulators and international industry bodies are constantly raising the bar on the cybersecurity requirements for new connected medical devices. All updated standards, new guidances and market specific legislations aim to ensure the highest level of safety for medical devices, but also inadvertently raise the complexity of medical device cybersecurity to a whole new level.

Specifically, there is a combination of numerous pre- and post-market guidances, required activities and best practices applicable for both the EU and the US markets: Security Risk Management, IMDRF MD Cybersecurity, Secure Product Lifecycle, SBOM Generation and SBOM Management to name a few.

Besides that, each market is also governed by its own set of rules and requirements.

  • The EU market: GDPR, NIS2, Cybersecurity Act, MDCG 2019-16 and many more.
  • The US market: HIPAA, Omnibus (Consolidated Appropriations Act), NIST Cybersecurity Framework and several others.

The intertwining of requirements, both general and market specific, creates significant complexity in the medical device cybersecurity ecosystem, but the medium-term trajectory points toward a global harmonization of requirements. This will increase accessibility to markets, improve the cybersecurity capabilities of devices and foster more innovation.

What useful sources can MDMs use to keep up with new requirements? 

Staying up to date with new market standards and requirements is one of the most difficult challenges for MDMs. There is no single source for all regulations, updates and guidances, not to mention that each market uses different enforcement agencies. The two most important and authoritative sources of information to learn about the regulations are the European Commission and the US Food and Drug Administration.

Furthermore, new vulnerabilities of medical devices are often discovered and disclosed by both governmental and non-governmental organizations, such as H-ISAC, Z-CERT and ANSSI. In some cases, the FBI also releases industry alerts providing insight into unpatched and outdated cyber-attack possibilities.

Do you need help with the regulatory landscape? 

Maintaining industry standards and requirements is equally as challenging as addressing cybersecurity issues for medical devices. We are here to help you cope with this, contact us today!