Understanding Medical Device Regulation and Cybersecurity Standards

Understanding Medical Device Regulation and Cybersecurity Standards

Medical device manufacturers must navigate through these regulations to bring their products to market.

SHLOMIT CYMBALISTA

October 27, 2022

What Are Medical Device Regulations?

In most countries, medical devices go through a rigorous regulatory and approval process before they can enter the market and be used by medical practitioners and patients. Regulations exist to ensure the safety of users and also validate the efficacy of medical treatments carried out by these devices. 

The activities required by medical device regulations have important implications for all stakeholders involved in developing, testing, marketing, and operating a medical device.

Important medical device regulations include the US FDA 21 CFR and the EU Medical Device Regulation (MDR).

What Are the Cybersecurity Challenges of Medical Devices?

Connected medical devices are at high risk of cyberattacks, and the consequences of an attack can be more severe than with other connected systems. Cybersecurity is becoming a critical aspect of the design, manufacturing, and operation for medical devices. 

Many connected devices store or transmit patient data, making it important to protect privacy and ensure the integrity of the data. A data breach could be used to damage the reputation of a patient or force a healthcare organization to pay a ransom to regain access to the data.

But the risk of cyberattacks on medical devices goes far beyond privacy concerns - they can threaten the safety of patients as well. Medical devices breached by attackers can cause physical harm to patients, disrupt medical care, and affect health outcomes.

Industry research shows that a majority of connected devices in hospitals have severe vulnerabilities. This includes bedside medical devices which directly impact the well being of patients. If these devices are attacked, it could affect service availability, data confidentiality, or patient safety, and could have life-threatening consequences.

Here are some of the common risks facing connected medical devices:

  • Many devices have known security vulnerabilities but do not support software or firmware updates. For example, many critical devices run old Windows versions that no longer have security updates.
  • Many devices use default credentials which can be easily discovered by attackers. In some cases the default credentials cannot be changed, and even if they can, hospital staff may not have visibility over the affected devices.
  • Many devices do not support deployment of endpoint security technology, such as endpoint detection and response (EDR). Instead, they must rely on inadequate network and perimeter defenses.
  • It can be challenging and time consuming to obtain logs from these devices, and there is usually no solution for real-time alerting in case of anomalous events.

Medical Device Regulations in USA and EU

USA Medical Device Regulation

The U.S. Food and Drug Administration (FDA) regulates medical devices to ensure public health and the safety of patients, healthcare workers, and communities. 

Medical devices are classified as Class I, II, and III, which have progressively higher risk to patients and thus more stringent regulatory controls. Here are the basic regulatory requirements manufacturers of medical devices distributed in the US must comply with at every stage of the device lifecycle, from pre-market (prior to commercialization) to post-market (device approval and commercial use).:

Development Stage (Pre-Market)

The FDA requires manufacturers to complete certain steps prior to device approval to ensure the device is designed and developed with safety and effectiveness in mind. These requirements are defined in FDA 21 CFR parts 807 and 814  and include a detailed description of the FDA submission process.

Post-Market Approval Stage

The FDA guides manufacturers how to advertise and promote their devices and report on usage of medical devices in the field (21 CFR Part 803). This includes reporting known equipment defects or events that could cause serious damage to equipment.

Multi-Stage Requirements

The FDA has additional regulations that impose additional requirements throughout the medical device product lifecycle. These include:

  • Controls used by manufacturers
  • Guidance for designing medical devices
  • Guidance for servicing medical devices
  • Information materials that must be provided with the device
  • Requirements for quality systems (21 CFR part 820)
  • Labeling requirements (21 CFR part 801)

European Medical Device Regulation (EU MDR)

The new European Medical Device Regulation (MDR) (EU) 2017/745 entered into force in 2021, and is applicable to any manufacturer seeking to market their medical devices in Europe. It supersedes the EU Medical Device Directive (MDD). 

Primary goals of the EU MDR are:

  • To ensure devices that enter the market are both safe and effective.
  • To ensure that the devices are operating as expected.
  • To ensure the appropriate information is provided by the manufacturer in the label and packaging.
  • To discover previously unknown side effects of device use.
  • To identify the risks associated with using the equipment
  • To identify common ways people misuse their devices and the associated risks.
  • To support post-market assessment and continuous improvement of the device.

According to the EU MDR guidelines, manufacturers are required to:

  • Implement a design and development process that ensures device quality and safety
  • Ensure technical documentation and labels comply with regulatory requirements.
  • Collect and integrate clinical data to support performance and safety claims for devices.
  • Maintain an up-to-date inventory of medical equipment currently in use.
  • Implement Unique Device Identification (UDI) on all medical device products and indicate these on the label of the products.
  • Perform post-market surveillance (PMS) and post-market clinical follow-up (PCMF) to ensure public safety and validate device efficacy.

7 Regulations and Standards that Might Affect Your Medical Devices

UL 2900 Safety Software Cybersecurity for Network-Connectable Products

UL 2900 is a set of standards issued by UL, a globally recognized safety consulting and certification company. The primary standards are:

  • UL 2900-1—general software cyber security requirements for network-connectable products
  • UL 2900-2-1—requirements for medical and healthcare systems
  • UL 2900-2-2—requirements for industrial control systems
  • UL 2900-2-3—security and life safety signaling systems

TIR 57 AAMI Principles For Medical Device Security

Technical Information Report (TIR) 57, published by the Association for the Advancement of Medical Instrumentation (AAMI), provides guidance on how to conduct information security risk management for medical devices. It has been formally adopted by the FDA as a foundational standard.

It is compatible with the security risk management process required by ISO 14971, and incorporates risk management concepts from IEC 80001-1, including Safety, Effectiveness, and Data and Systems Security. TIR 57 provides detailed Annexes that provide examples and process details.

FDA Cybersecurity Guidance

In April 2022, The FDA published a draft guidance titled Cybersecurity in Medical Devices, aimed at improving safety for medical devices throughout the total product lifecycle (TPLC), including development, release, support, and decommissioning of medical devices. The guidance is intended to help manufacturers meet the cybersecurity requirements within their Quality Systems Regulations (QSR).

The FDA guidance establishes six broad expectations: cybersecurity should be an integral part of device safety and the QSR, manufacturers should adopt a security by design approach, transparency in the development process, security risk management, security architecture, and the use of testing and objective evidence.

PATCH ACT

The US Protecting and Transforming Cyber Health Care (PATCH) Act was introduced to the US Congress in March 2022, and has not yet been enacted at the time of this writing. The new FDA Cybersecurity Guidance (see the previous section) was released as a result of the PATCH ACT.

The PATCH ACT is setting new requirements for medical devices and network security for US healthcare systems. The goal is to ensure that US healthcare systems are resilient to cyber threats, including ransomware which is an imminent threat to healthcare organizations around the world. The new Act will have the following impacts on the healthcare industry when it comes into force:

  • Define mandatory cybersecurity requirements for manufacturers applying for FDA premarket approval.
  • Guide manufacturers in design, development and maintenance processes, to ensure devices are updated and patched for security throughout their life cycles.
  • Require manufacturers to create a Software Bill of Materials (SBOM) for devices and provide it to users.
  • Require manufacturers to plan how to monitor, identify and respond to cybersecurity vulnerabilities when devices are deployed in the field (postmarket).
  • Define a Coordinated Vulnerability Disclosure that manufacturers will need to submit to demonstrate safety and effectiveness of a medical device.

IMDRF

The International Medical Device Regulators Forum (IMDRF) is a group of medical device regulators from different countries, who are working on harmonizing medical device regulations. Their work is based on the Global Harmonization Task Force on Medical Devices (GHTF).

In 2020, the IMDRF released its guidance document: Principles and Practices for Medical Device Cybersecurity. This document provides recommendations for all relevant stakeholders about best practices for medical device cybersecurity - including for in vitro diagnostic (IVD) devices. It takes a risk-based approach to design and development of devices, and aims to ensure safety, security, and performance of medical devices and related healthcare infrastructure. 

The recommendations can help minimize the risk of patient harm throughout the total product life cycle (TPLC), and help organizations set policies for sharing and managing security incidents, threats, and vulnerabilities. 

MDCG

The Medical Device Coordination Group (MDCG) is a European regulatory body, which has the goal of improving medical device coordination and ensuring medical devices are used safely and effectively. It is well known for publishing guidance documents that can help manufacturers meet EU MDR requirements, starting with the MDCG 2019 series.

Specifically, MCDG has published Guidance on Cybersecurity for Medical Devices. The document is aligned with the IMDRF medical device guidance, aiming to help manufacturers fulfill all the cybersecurity requirements in the MDR and IVDR regulations. The guidance also explains premarket and postmarket requirements during all the possible operation modes of a medical device.

Medical Device and Health IT Joint Security Plan

In the US, the Health Sector Coordinating Council (HSSC), in partnership with the U.S. Department of Health and Human Services (HHS), released a set of recommendations for cyber security best practices for health providers. This is a voluntary standard known as Health Industry Cybersecurity Practices (HICP). 

The HICP standard is based on 1.5 years of work by industry and government experts, identifying the top five cyber threats affecting healthcare systems and the ten best practices to deal with them. It is designed to be suitable for healthcare organizations of all sizes and reduce risk across the US healthcare industry.

In addition to the HICP, the HSCC also released the Medical Device and Health IT Joint Security Plan (JSP), a consensus-based total product lifecycle (TPLC) reference guide. Its goal is to help medical device manufacturers develop, deploy, and support technology solutions in a healthcare environment while ensuring they are resilient to cyber attacks. 

A key principle of JSP is security by design. It also defines a shared responsibility model between stakeholders, harmonizes security-related standards, defines risk assessment methods, and specifies how to share information about security vulnerabilities. The JSP document is intended to be updated on an ongoing basis to adapt to new threats and medical devices.

Easily Meet Regulatory Requirements with Sternum: Deterministic Security for IoT

Sternum is an IoT security and observability platform, which lets you meet and exceed the security requirements of standards and regulations such as UL 2900, TIR 57, and the FDA Cybersecurity Guidance.

Embedded in the device itself, Sternum provides deterministic security with runtime protection against known and unknown threats; complete observability that provides data about individual devices and the entire device fleet; and anomaly detection powered by AI to provide real-time operational intelligence.

Our security solution operates at the bytecode level, making it universally compatible with any IoT device or operating system including RTOS, Linux, OpenWrt, Zephyr, Micirum, and FreeRTOS. It has low overhead of only 1-3%, even on legacy devices. This is a quick overview of how it works:

Here is how Sternum can help you improve IoT security to meet regulatory requirements:

  • Agentless security - integrates directly into firmware, making it a part of the core build This ensures that the solution cannot be externally compromised and leveraged as a point of failure, making the device 'secure by design'.
  • Automatic mitigation of known and zero-day threats - prevents 96.5% attacks in benchmark (RIPE) security tests. Its vulnerability-agnostic approach makes it equally effective in dealing with known and zero-day threats. This not only improves security but can also cut security patch management costs by as much as 60%.
  • Supply chain protection - relies on binary instrumentation, making it able to protect all running code. This extends to 3rd party and operating system libraries, effectively preventing all supply chain exploit attempts. 
  • Protection of isolated devices - does not rely on external communication to secure devices, making it equally effective for connected and isolated devices.
  • Live attack information with zero false positives - real-time alert system notifies about all blocked attacks, providing - for each - detailed logs and attack path analysis. The deterministic nature of EIV’s integrity checks ensures that all alerts are always valid.  
  • Streamlined compliance - helps meet the latest cyber regulations for IoT devices (IEC 62443, FDA, NIST, etc) and the most current FBI recommendations for Internet of Medical Things (IoMT) endpoint protection.

Learn more about Sternum for IoT security

Better Performance with Autonomous Observability

Gain complete visibility by monitoring and analyzing events in your device or across an entire fleet, from the first line of code and until post-deployment maintenance.

Diagnose software bugs and vulnerabilities by using instrumentation, to pinpoint flaws, gain dynamic profiling and analysis of the software, including third-party code.

Learn about Sternum observability >>