Cybersecurity for Medical Device Manufacturers in EU
In December 2022, the European Commission published the new directive (EU) 2022/2555 on measures for a common level of cybersecurity across the Union. This led to the amendment of the regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (also known as eIDAS regulation) and repeals the NIS 1 directive which was issued in July 2016.
As cybersecurity gets more and more into the focus of Medical Device manufacturers (i.e., Interconnectivity and Medical Device Software) we would like to give some insights into different EU regulatory requirements regarding cybersecurity.
Basically, the term cybersecurity in Medical Devices refers to the protection of the confidentiality, integrity and availability of the data it processes. This includes all kind of personal information of patients or operators, configurational items (i.e., personalized settings) as well as integrity of a source code and algorithms linked to the intended use of the Medical Device. Summarized, everything which could be a possible attack vector to the device. Medical Devices such as pacemakers, insulin pumps, and imaging equipment are progressively connected to the internet and other networks, making them vulnerable to cyberattacks. Therefore, it is critical to manufacturers and healthcare organisations to ensure the security of these devices.
In general, best practices in cybersecurity protection measures can be distinct into 8 layers:
·??????Physical Security (i.e. access control in clean rooms or hospital and laboratory server rooms)
·??????Network Security (i.e. authentication in network systems of monitoring systems at intensive care stations, strong password policies, malware protection)
·??????Perimeter Security (i.e. protection of cloud-based Medical Devices that exchange diagnostic data)
·??????Endpoint Security (i.e. locking of Medical Device user interface to unauthorized users or systems)
·??????Application Security (i.e. activation of audit trails and authentication/authentification or regular software update control process, especially when interconnectivity is a key function)
·??????Data Security (i.e. confidentiality, integrity and availability of patient records)
·??????User Education (i.e. train users regarding identified foreseeable misuse, training input out of ?usability validation, training of lay persons and professionals)
·??????Monitoring (i.e. screening of public vulnerability database sources, analysis of incidents and behaviour of internal systems and definition of preventive actions)
?
It is of tremendous importance to understand that cybersecurity is a continuous process throughout the lifecycle of a Medical Device. Vulnerabilities and incidents must be monitored and analyzed in the post-market period of a Medical Device, in order to release updates or patches to keep a conform status of the devices and prevent attacks.
1.????New EU Directive regarding Cybersecurity
The new Cybersecurity Directive (EU) 2022/2555 is also known as the NIS 2 Directive (Network and Information Security).?First to be said, the change from the EU Directive (EU) 2016/1148 to Directive (EU) 2022/2555 was mainly caused by cybersecurity requirements imposed on entities providing services or carrying out activities which are economically significant. These requirements vary among Member States.
The review of Directive (EU) 2016/1148 has revealed a wide divergence in the implementation of cybersecurity requirements by Member States. EU Directives are a type of legislation binding to EU member states. They set out the goals which member states must achieve but leave it up to each state to decide how to implement those goals. This means Directives do provide a framework, but the specifics of how that framework is put into practice are left up to each individual member state. Once a Directive has been adopted by the EU, member states are given a transition period to transpose the Directive into national law, while an EU regulation is a law that is directly applicable and binding in its entirety in all EU member states without the need for national implementation to ensure the functioning of internal markets.
The new Cybersecurity Directive defines which sectors are of importance to the public. It explicitly mentions medium-sized up to enterprise-sized Medical Device manufacturers, meaning they need to demonstrate conformity with the new Directive. The transition period for implementation ends at 18th of October 2024.
2.????New regulation for the European Medicines Agency (EMA) requires cybersecurity provisions.
The new regulation (EU) 2022/123 on a reinforced role for the European Medicines Agency in crisis preparedness and management for medicinal products and Medical Devices was established as there was an increased level of cybersecurity threats in midst the COVID-19 pandemic. Even the EMA itself was targeted and several documents related to vaccines have been illegally accessed. This overall COVID-19 pandemic has shown a need for a legislative framework which establish also cybersecurity requirements for EMA. This is why article 33 “Protection against cyber-attacks” stipulates best practices in cybersecurity.
3.????Medical Devices in European Union
The Medical Device Regulation (EU) 2017/745 (MDR) and In vitro Diagnostic Medical Device Regulation (EU) 2017/746 (IVDR) have also changed from EU Directives to EU Regulation legislation type as the EU commission decided not to leave it up to the Member States how goals of these frameworks shall be achieved. Both regulations, MDR and IVDR, determine requirements regarding information and IT security for Medical Devices throughout the whole lifecycle and demand appropriate consideration in risk management: “Manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorized access, necessary to run the software as intended.” [MDR, Annex I, Chapter II Requirements regarding Design and Manufacture, clause 17.4]
This is required for devices that incorporate electronic programmable systems (PEMS) according to IEC 60601.
3.1 Medical Devices in network systems
When Medical Devices are connected to network systems (i.e. monitoring of life-threatening conditions including alarm systems) security requirements are of increasing importance. Every new connection can be seen as a potential attack vector to introduce malware, steal information or take control over systems. Organisations deploying systems in such an environment (i.e. hospitals and laboratories) should have an information security management system in place. Since the update of ISO 27001 (Information technology – Security techniques – Information security management systems – Requirements) in autumn 2022, cybersecurity requirements have become a substantial part of Annex A of this standard.
A point-of-view selection of Annex A controls, supporting information security systems:
·??????Threat intelligence (collection and analysis of information security threats, also audit trail monitoring)
·??????Access control (establishment of rules regarding physical and logical access to information, rooms, and facilities and other endpoints including access to medical product source codes)
·??????Including authentication and identity management and privilege of roles
领英推荐
·??????Security incident management (assess, manage, and learn from security incidents and establish appropriate measures, prevention of data leakage)
·??????Business continuity plan (plan implement and maintain different state of availability, including disruption procedures and regular backup maintenance)
·??????Protection of records (including defined requirements for data privacy, i.e. ISO 27701, and encryption requirements)
?
3.2?IEC 62304 upgrade or not
Although the Technical ISO Committee 215 has issued an update of the IEC 62304 (Medical Device software — Software life cycle processes) in the beginning of 2021, it has been deleted during enquiry stage. Nonetheless, it can be expected that Security Threat Management will be an explicit requirement in the subsequent standard and Risk Management (ISO 14971) shall address security risks on a more detailed level, regardless of whether it will be a new standard or a 2nd edition of IEC 62304.
3.3 ?(Post-market) Risk Management
Risk Management, irrespective of in development or post-market, need to consider cybersecurity in more detail as risks may trigger a product change.
A generic, newly detected vulnerability risk can be published by Computer Emergency Response Team (CERT) organisations or in the database of the National Institute of Standards and Technology (NIST). Preventive monitoring of such databases triggers at least a minor change of a Medical Device Software (UDI-PI-relevant) if a security patch to prevent such specific risk is developed.
3.4 ?Requirements for eHealth application (Germany)
Germany has established technical guideline BSI TR-03161 in order to protect sensitive health data in eHealth applications. The guideline is separated into three parts, mobile-, web- and backend services and describes requirements regarding security as well as risks and objectives of eHealth (mobile) applications.
For example, manufacturers are asked to permanently check and monitor the application and its backend as well as frameworks and libraries used for exploitable vulnerabilities. The BSI TR set up requirements regarding encryption of sensitive data if they are intended to be sent to third-party frameworks and/or libraries. Especially tracking data, such as Wi-Fi-SSID, GPS, etc., may only be used for a limited purpose which depends on the primary purpose (defined intended use) of the Medical Device. This is in line with the general data protection regulation which requires to know about the data processed and how, where and how long it shall be stored.
4.????Why EUMEDIQ can support you in cybersecurity of Medical Device environments
EUMEDIQ employs certified ISO 27001/ISO 13485 Lead Auditors, CIPP/E data privacy professionals and safety experts for active Medical Devices.
Besides the qualified employees, EUMEDIQ has implemented cybersecurity protective measures in order to keep customer’s property safe. As this information may contain intellectual property, EUMEDIQ has established different measures and procedures:
·??????Mandatory password security management for all employees
·??????Firewall and device endpoint protection
·??????Access control with 2-factor authentication for critical computer systems
·??????Active device encryption
·??????Screening of supplier selection and requirements
·??????Preventive monitoring regarding security threats
·??????Regular training of employees
·??????Regular update enforcement
·??????Following a computer system validation process
·??????Monitoring of security performance identifiers in management review
?
Our key message here is: “We walk the talk” and this is the reason why you should get in touch with us wherever you experience challenges concerning cybersecurity, information security or privacy requirements to your Medical Device product(s) or management system(s).