Topical Article

Cybersecurity considerations for Connected Medical Devices

Posted on by Congenius

Medical devices are becoming increasingly connected to the internet, hospital networks, and to other medical devices. Whilst this increased connectivity enables functionality that facilitates improved health care, this same functionality also expands the potential for cybersecurity risks.

In our topical article below, our Head of eHealth Paul Gardner outlines some key considerations regarding cybersecurity for connected medical devices, including advice for design & implementation, testing, and manufacture.

Medical devices, like other computer systems, can be vulnerable to security breaches which can potentially impact their safety and effectiveness. As threats and vulnerabilities cannot be fully eliminated, reducing cybersecurity risk is especially challenging. The health care environment is complex, and so manufacturers, health care providers, and facilities must work together to manage potential cybersecurity risks. Cybersecurity and maintaining data integrity are fundamental parts of any connected medical device development and need to be continuously managed throughout the product’s lifecycle. 

What should you consider during Design and Implementation?

Security threats need to be considered early in the development process. Security activities such as architecture review, threat modelling, application security testing, penetration testing, and risk management will help to reveal the potential vulnerabilities within your connected medical device.

Design and risk procedures must account for cybersecurity. The MDR outlines eight practices for managing the cybersecurity of your device:

  1. Plan and document all of your security-related activities.
  2. Define your security requirements in a similar way to your software specifications.
  3. Implement Security by Design. Your design process should incorporate cybersecurity. “Security by Design” means designing products to be foundationally secure. It also involves having multiple layers of defence such that the breach of any single element does not compromise the whole system.
  4. Implement your cybersecurity design correctly, ensuring that any procedures concerning software releases are followed.
  5. Define your Verification and Validation testing activities and link them to the risk of your software, before then performing validation testing.
  6. Consider Security Breach Management by documenting how you will handle any security issues should they arise.
  7. Address Change Management by defining how you would assess risks and roll out software changes.
  8. Provide security guidelines in user documentation that explain how to operate the medical device with cybersecurity in mind.

The importance of Threat Modelling

While industry standards and best practices help with developing security requirements, you also need to consider the requirements of the product itself. This can be done with a threat modelling exercise, where you consider:

  • Assets: List the assets to be protected and consider the impact of not having asset protection in place
  • Threats: Identify threats and their probability
  • Vulnerabilities: Identify any weaknesses in the system and account for existing countermeasures, if any
  • Risk: Assess the risk based on the consequences of not protecting assets, the likelihood of the threat, and existing safeguards
  • Priority: Once the risk is assessed and mitigation is evaluated, prioritise additional mitigations

There are various methods available for threat modelling such as STRIDE and CVSS. For further information on these methods, take a look at the further reading section at the end of this article.

Hardware, Software & Secure coding

Hardware requirements

One of the key medical device security requirements is software integrity/authenticity and data confidentiality. Implementing these requirements is not possible without hardware support, so the first step when designing a product is to ensure that your chosen processor supports certain security features such as:

  • Secure boot (customer programmable keys, key revocation support, easy access to code signing tools and detailed security documentation)
  • Secure key storage
  • Secure memory

Software supply chain security

In order to reduce the risk of supply chain attacks, any brought-in source code should be designated as Software of Unknown Provenance (SOUP) and vetted accordingly.

Secure coding practices

As well as developing robust device security principles, ensuring the security of your code is an equally critical aspect of device security. Your coding guidelines need to include secure coding practices, and your code reviews should hold software developers accountable for security.

Testing & Manufacture

Security testing should be given careful consideration, and as with any other medical device testing, a plan should be created. Your Security Test Plan should outline your proposed testing methods that aim to support the cybersecurity of your device e.g., Security Testing Tools and Penetration Testing. Lastly, don’t overlook the security of your manufacturing process.

Securing your manufacturing process is the final step in building a thorough defence against cybersecurity threats, so any tools required to securely program devices, or to configure or provision devices need to be controlled.

Further support & guidance

Laws & Regulations

Various laws have recently been passed to improve the cybersecurity of medical devices:

AmericasEMEAAPAC
– 2021 Executive OrderH.R.1668: IoT
– Cybersecurity Improvement Act
– California SB-327
– Oregon HB 2395 (2019)
– European Cyber Security Act– Singapore CLS (Cybersecurity Labelling Scheme)
– Australia Code of Practice

In the EU, cybersecurity of medical devices is considered part of the General Safety and Performance requirements (GSPR) of the Medical Device Regulation MDR 2017/745. In addition, the General Data Protection Regulation (GDPR) introduces certain data requirements and provides EU-residents with fundamental rights over their data its protection.

In the US, as part of the software validation and risk analysis required by 21 CFR 820.30(g), software device manufacturers need to establish a cybersecurity vulnerability and management approach. In addition, manufacturers and/or other entities, depending on the facts and circumstances, may be obligated to protect the confidentiality, integrity, and availability of patient information throughout the product lifecycle, in accordance with applicable federal and state laws, including the Health Information Portability and Accountability Act 487 (HIPAA).

Industry standards & guidance

In addition to the legislation, the following guidelines on medical device cybersecurity should be considered when developing a connected medical device:

EU:

US:

Further reading

The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook outlines a framework for health delivery organisations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, to ensure the effectiveness of devices, and to protect patient safety.

And finally, the resources below provide more information on principles for medical device security and secure coding practices:

Should you have a cybersecurity-related challenge as part of your medical device project, our eHealth team is ready and happy to help. Simply get in touch to start the conversation.

Related News & Knowledge

×

Get in touch

If you have a challenge that you think we could help with, please feel free to get in touch in a way that suits you best. We look forward to speaking with you!

Get in touch

×

Request
a demo

Find out more about QMgeniuS by requesting a demo.

Simply fill out your details and click “Request a demo", then a member of the team will get back to you shortly.

Alternatively, feel free to give us a call on +41 44 741 04 04 to start the conversation. We look forward to hearing from you!

    ×

    Subscribe to our
    monthly knowledge update

    Stay informed and up to date with the latest industry news delivered direct to your inbox. You can tailor your preferences to prioritise what you'd like to hear about each month; be it MedTech news headlines, fact sheet resources on the latest regulations or longer articles covering timely topics across the wider MedTech industry.

    By clicking subscribe, you are signing up to receive a monthly newsletter from us containing MedTech news, industry insights and more from Congenius. Subscribing also gives you full access to all topical content on our website. For information on how your data is managed, see our privacy policy.