The field of Medical Device Cybersecurity as I have explored over the last week is a field that is attempting to protect the health of people while walking a line of efficiency vs. security that allows the device to not only be secure but to also be effective in treating the patients who need them. They tow this line by implementing security measures from development until the end of the life cycle discussed last week. These measures come from frameworks released by organizations such as ISO and the IMDRF.
The IMDRF (International Medical Device Regulators Forum) has in recent years put out several guidelines that seek to help address the threats that medical devices can face throughout their lifecycle. These include the “Principles and Practices for Medical Device Cybersecurity “, “Software as a Medical Device”, and “Possible Framework for Risk Categorization and Corresponding Considerations”. These frameworks address best practices in medical devices throughout the lifecycle of the device and even after the device has been introduced to the market. One method that it recommends is to pursue a model of security by design. This is when a company keeps the security of the device, both physical and digital, in mind from the moment they are designed. Keeping in mind any possible risks to the device that might exist in the field and might arise through normal use of the device. This concept of addressing risks is a recurring theme for the security of medical devices. The IMDRF recommends that all medical device manufacturers and designers pursue a risk-based development and assessment model. The risk-based model is one where risks to devices are categorized by severity, assessed to how relevant they are to the device, and then appropriate measures are taken to bring the risk down to acceptable levels without impacting the performance and functionality of the device. The IMDRF also recommends that manufacturers have a robust post-market Incident response plan to allow for the gathering of details on what happened, what changes need to be made, and for updates to be sent out as needed for new threats. This organization is cited heavily in the EU’s 2017 regulation that has come into effect recently known as MDR, which requires in Annex 1 this risk-based model, threat assessment, and security vs. Performance mindset. It is also heavily referenced in the FDA’s current pre and post-market guidelines directly where again the maintenance of a risk framework, secure design, and threat assessment is required.
Another framework that is leveraged by both the FDA and the EU’s MDR is the ISO framework. ISO stands for the International Organization for Standardization and it publishes standards that are used in several industries, however, I focused only on those relating to medical devices, mainly ISO 27001. This framework is also referenced in MDR and the FDA pre and post-market guidelines. This framework makes some important recommendations such as ensuring that in a medical device organization the security is well planned out and documented, ranging from leadership ensuring that everyone who is working on the device is recording and getting the needed security resources, to ensuring that a plan is adaptable to problems that occur so a device can not get bogged down by problems. ISO also recommends that to be compliant an organization needs to maintain an actively adapting threat model for the devices and software they release to proactively protect users. This is a big part of it and will need to be explored in the future.
This week the main issue that I found was finding how these frameworks are applied in regulations as there are guidelines. Due to the constantly evolving nature of the cyber landscape, they have to be relatively open-ended to maintain relevance in such a constantly changing landscape. Therefore defining terms such as “state of the art” and “dynamic risk” is an important hurdle I had to face that I am still actively working to clarify more.
Follow us for more updates on this project!
For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de
Written By: Michael Verdi '22 // Computer & Information Systems Security