Tightened rules on cybersecurity of medical devices – what to be aware of as manufacturer.
The Medical Device Coordination Group (MDCG) issued instructions that clarify the guidelines for a harmonised administrative practice for the interpretation of Annex 1 in Regulation 2017/745 on Medical Devices (MDR) regarding the cybersecurity of medical devices. This article reviews the main items in the guidelines.
The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission. The MDCG was established by Article 103 of MDR and is to provide advice to and assist the Commission and the Member States in ensuring harmonised implementation of the Regulations on Medical Devices.
Concepts of "IT-security", "operation security" and "information security"
Annex 1 of the MDR sets out various minimum requirements to hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, with which manufacturers of medical devices must comply. It also specifies three concepts that form the basis of the minimum requirements.
The concept of "IT security" in relation to medical devices covers requirements for a duty of confidentiality about information held by the manufacturer, requirements for integrity in the form of technical integrity and requirements as to availability of processes, devices, data and connected systems.
The concept of "operation security" covers protection against intended corruption of procedures which will have results that were unintended by its owners, designers and users.
The concept of "information security" sets out a requirement that all devices that incorporate software, or software which in itself constitutes a device, must be developed and manufactured in accordance with state of the art, taking into account the device's development life cycle, risk management, verification and validation.
Basic security and efficiency requirements
MDR requires medical devices to be safe and effective. Manufacturers must decide on the design of connections, inlets, etc., with consideration to the requirements to cybersecurity. This is in order to ensure the security and efficiency of the device against cyber-related risks and threats. The requirements must consider the device's type and nature, including the intended use and the environment surrounding the use.
Manufacturers of medical devices must ensure that the medical device is designed and manufactured in a manner that completely eliminates or at least minimises the risks related to a so-called reasonably foreseeable environmental conditions.
Safety on design and manufacturing
Safety and efficiency are critical aspects in the design of medical devices. Consequently, manufacturers are required to consider these aspects from an early stage in the development and manufacturing process as well as throughout the lifetime of the device.
Risk management must be performed, identifying and assessing risks against the safety and efficiency of the device from intended use or predictable misuse of the product. These risks must then be reduced as far as possible to an acceptable level.
Minimum requirements to cybersecurity
MDR Annex 1 includes various minimum requirements to manufacturers of medical devices as regards cybersecurity.
The manufacturer must set out minimum requirements concerning the characteristics of IT networks and measures concerning cybersecurity, including protection against unauthorised access that could not be implemented in the design of the device.
Further, manufacturers must provide clear documentation for the provision of manuals, instructions, etc, in relation to cybersecurity. This applies to e.g. device specifications and compatibilities, recommended measures for cybersecurity as well as IT environment.
All minimum requirements to operation environment concerning cybersecurity must also be defined on the basis of a number of principles listed in the guidance. For instance, any suggested requirement to the security of the operating environment must be based on the risk assessment performed for the relevant medical device. Moreover, medical devices must be as independent on other cybersecurity factors as possible. Finally, the manufacturer's presumptions as to the cybersecurity of the operating environment must be clearly stated in the instructions and comply with the best practical security standards.
Other requirements to cybersecurity
There are a number of other requirements to cybersecurity that are not listed in MDR Annex 1, but which manufacturers must still observe. These are, for instance, requirements to protection of privacy and data, post-market surveillance and reporting of serious incidents involving the device.