Cybersecurity guidelines for medical device manufacturers
Increased focus on cybersecurity Cybersecurity is becoming increasingly important in this digital world as hackers develop more sophisticated techniques as technology improves. The healthcare industry… Read more
Increased focus on cybersecurity
Cybersecurity is becoming increasingly important in this digital world as hackers develop more sophisticated techniques as technology improves. The healthcare industry is particularly vulnerable to cyber attacks as its outdated systems and devices hold vast amounts of patient personal data, including sensitive health data. In fact, research shows that healthcare is the most breached industry costing £5.2 million on average.
However, medical devices play a vital role in innovation in healthcare, and have the potential to expose some of the most sensitive patient personal data to cyber vulnerabilities. Of course, the consequences of cyber attacks are further heightened when patient safety is involved, for example, a fault with the functioning of a medical device (such as the BlueKeep security vulnerability) could have serious life or death implications. Due to the complexities of software development, most products (including medical devices) will contain vulnerabilities of some description. It is difficult to know whether these vulnerabilities can be discovered and then exploited until it occurs. There is an increasing amount of pressure on manufacturers of medical devices to be accountable for the safety of such devices against such vulnerabilities and manufacturers should ensure products are designed and built in a way to remove or minimise such risks as far as possible.
In light of the fast-paced technological developments in medical devices, the EU’s Medical Devices Co-Ordination has recently published guidelines (the “Guidelines”) to assist manufacturers in complying with the cybersecurity requirements for medical devices as set out in Annex 1 to the two new regulations on medical devices (the “Regulations”).
What do the guidelines say?
The Guidelines provide manufacturers of medical devices with key elements to consider when ensuring compliance with their cybersecurity obligations. Ultimately, the key theme from the Guidelines focusses around the concept of risk in cybersecurity. In the field of medical devices, manufacturers have an overarching obligation to ensure that risk to patient safety is reduced to an appropriate level.
Some of the key topics detailed in the Guidelines are explored further below.
- Key cybersecurity concepts
Manufacturers are required to comply with basic cybersecurity principles such as ensuring the effectiveness of IT security, operation security and information security in medical devices. In the context of medical devices, the key principles of safety and security overlap. Manufacturers are reminded that a balancing act needs to be conducted when assessing the benefits and risks of a medical device to ensure that any operational risks are reduced to a level where a high standard of health and safety can be maintained.
Any assessment of cybersecurity risk must be conducted at the design stage of the device to ensure that the medical devices are safe and effective for their intended purpose. Examples of cybersecurity incidents and serious incidents are helpfully provided in Annex II to the Guidelines.
The guidelines also highlight the joint responsibility of other players in the healthcare ecosystem (including suppliers, healthcare providers, patients and operators) in maintaining high cybersecurity standards to ensure patient safety.
- Secure design and manufacturer
Safety, security and effectiveness are key elements for manufacturers to consider right from the design and development phase to manufacturing and throughout the lifecycle of the medical device. Addressing cybersecurity risks at an early stage can reduce future cybersecurity risks, however it is important that security in software is regularly re-assessed during the lifecycle so that the medical device is not left vulnerable to newly emerging security vulnerabilities and new attack vectors.
The Guidelines helpfully set out examples of the minimum IT security requirements for the operating environment of medical devices that manufacturers are required to communicate to users in line with the Regulations.
- Documentation and instructions for use
The Guidelines set out examples of the types of information manufacturers must provide in the:
- technical documentation for the medical device, including the security requirements to ensure the safety and effectiveness of the medical device;
- instructions for use in relation to IT security risks, including the risk profile of the device and specifications of the operating system; and
- information provided to healthcare providers about the intended use environment of the medical device, including the information that providers present to patients about the risks and benefits in relation to the use of the medical device.
Importantly, the Guidelines recommend that any security information should be kept in electronic form so that updates in response to frequent cybersecurity threat changes can be made in a timely manner.
- Post-market surveillance and vigilance
Manufacturers have an obligation to conduct a post-market analysis of a medical device to ensure the level of security reflects the change in cybersecurity vulnerabilities. In particular, manufacturers are required to put in place a post market surveillance system to gather information from users of medical devices in the market and implement any corrective measures. The Guidelines suggest that this information gathering exercise should involve distributors of the medical device and potentially the authorised representative and importers of the medical device.
Medical devices usually collect vast amounts of sensitive health data which is a highly protected set of personal data under data protection law. Health data is becoming an increasing target for cybersecurity attacks as hackers know the intrinsic value of this data, which has been increased by the past willingness of healthcare companies to pay a ransom in order to protect patient data.
If this data is exposed in any way due to a cybersecurity vulnerability, medical device manufacturers and suppliers could suffer both reputationally and financially, as European regulators have the power to impose hefty fines and individuals have the right to claim compensation. In fact, the UK’s data protection regulator (the Information Commissioner’s Office (“ICO”)) recently fined a large retail organisation £500,000 (which was the maximum fine available at the time of the breach) for having poor security arrangements and failing to take adequate steps to protect personal data. In particular, the ICO highlighted the vulnerabilities of inadequate software patching, absence of a local firewall and lack of network segregation and routine security testing. Although this fine was in the context of a different industry sector, this is a useful reminder to manufacturers of medical devices to ensure appropriate security measures are in place and are frequently tested.
Manufacturers and suppliers face an uphill battle of ensuring security protections in medical devices evolve and reflect the rapidly evolving cyber threat landscape. However, complying with these Guidelines (and the Regulations) throughout the lifecycle of a medical device should enable manufacturers to demonstrate compliance with their obligations; they are adequately assessing risk at every stage and are implementing appropriate security measures to mitigate any cybersecurity risk.
 Regulations 2017/745 on medical devices and 2017/746 on in vitro diagnostic medical devices
For detailed information about how your organisation can implement effective cybersecurity measures, see our Cybersecurity Toolkit
Share this blog
- Adtech & martech
- Artificial intelligence
- EBA outsourcing
- Cloud computing
- Complex & sensitive investigations
- Cryptocurrencies & blockchain
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- KLick DPO
- KLick Trade Mark
- Open banking
- Software & services