In the previous blog post, we discussed the dilemma of developing software with agile methods in a regulated environment (RegOps). This time, we look at one of the trending topics in medical device software development: cybersecurity.
Medical device development is generally a highly regulated domain. Software development is no exception, because software intended for medical use is a medical device as such (software as a medical device, SaMD). The EU regulatory framework is currently evolving, and the new regulations take a more explicit position on the cybersecurity aspects of devices.
Five months until MDR – secure your readiness soon
In the two new Regulations, MDR and IVDR, cybersecurity is addressed from a broader perspective than in the current Directives. Unfortunately, however, they still lack a clear and complete list of cybersecurity requirements. Instead, the requirements concern many interrelated processes.
To help read the new Regulations, the Medical Device Coordination Group (MDCG) published a guidance document, “MDCG 2019-16 Guidance on Cybersecurity for medical devices” in December 2019. Although the document is not legally binding, it is highly recommended for medical device software manufacturers, because it provides a useful insight into the regulatory authorities’ expectations of the devices’ cybersecurity aspects.
The new requirements create various new challenges for medical device manufacturers. In this blog, we explore some of the main changes and look at the common challenges we have found companies to have. In the future, it is not enough if there is “some threat analysis made, some risk mitigations implemented, and some correct risks identified”. All these tasks must be done systematically and documented accordingly.
Furthermore, the healthcare sector is facing new cybersecurity challenges because of digital transformation. Many big players in the healthcare domain are beginning to rely on a wider range of technology like mobile applications and public cloud services. While the benefits are clearly visible, the computational environment’s increased complexity is leading to new cybersecurity threats. Information security incidents of sensitive health data and ransomware attacks on life-critical services involve a high potential risk and are unfortunately common today.
Security risks force the updating of risk management processes
Cybersecurity, like many other topics around medical devices, starts with risk management. It is essential to understand the concept of risk, and the difference between safety and security risks to plan and execute the required actions properly.
Our approach, supported by MDCG 2019-16, has three different types of risk: security risks without a safety impact; security risks with a safety impact; and safety risks without a connection with security. The reason for the deviation is the different definitions of “harm” in safety and security contexts. Risks without a safety impact can be managed in security risk management with no need to be escalated to the safety risk management process.
The relationship between security and safety risks, adopted from AAMI TIR57: 2016 Principles for medical device security—Risk management
One of the first challenges is how to combine security risk management with the manufacturer’s existing safety risk management process (which generally complies with the ISO 14971 standard). It should be highlighted that cybersecurity-related risks with any connection with safety aspects should already be appropriately managed today. However, our practical experience tells us this is not the case in many companies. The gap between the new Regulation requirements and the existing implementation is therefore in many cases more significant than the difference between the Directive and the Regulation.
Cybersecurity capabilities require resourcing
Adjusting the current risk management process to comply with all the new requirements requires many types of expertise. And that is the next challenge. Is your company equipped with cybersecurity professionals? Can you identify all the relevant and technically detailed cybersecurity threats? Do you have enough resources to implement the required security risk controls? If not, you’d better do something about it soon!
To be truly effective, safety risk management requires a multi-professional team. The risk management team can contain clinical experts, domain experts, product specialists, UX experts and software developers. These different specialists’ specific expertise is needed to successfully identify and manage all the safety aspects related to the product.
The same principle applies to security: the team needs to have in-depth cybersecurity competence. As usual, when operating within the quality management system, the competence requirements must be carefully defined and documented. The competence characteristics to consider are, for example, knowledge of evaluating security threats and vulnerabilities, awareness of the security risk landscape (medical devices and general-purpose computing platforms such as cloud platforms), and experience of a secure development lifecycle.
Tackling cybersecurity threats is not a one-time shot
The new Regulations contain specific essential changes in requirements in the post-market area. These enhanced requirements must also be taken into account in the cybersecurity domain. The purpose of the post-market activities is to maintain the device’s security, safety and efficiency after its release.
The real challenge is the interpretation and application of the post-market requirements in practice. How can you control and monitor the ever-changing threat environment? How can you detect vulnerabilities in third-party libraries? How do you build mechanisms for managing reports of potential vulnerabilities from non-indicated users such as security researchers?
All the collected post-market security information should be evaluated for possible relevance to device security and potential safety impacts. Doing all this work, and documenting it properly, requires new skills and will put manufacturers’ cybersecurity capabilities to a major test. The most important thing is to ensure that cybersecurity management is a continuous process.
Sounds complicated? Maybe, but with good planning and the right competences, it is just another piece of work to do. In the near future, we will address this subject with more details about real-world solutions – and of course, with reflections about our own experiences. We wish you a merry Christmas and a care-free new year!