Navigating Cybersecurity Standards and Regulations for Medical Devices
Keeping patient information and networks secure
23 November 2021
Today, the average hospital bed has 10 to 15 connected devices, providing diagnostic information to the patient's care team, monitoring the patient's vital signs and dispensing medicine for treatment. By having this crucial information at their fingertips, doctors, physician assistants and nurses are able to monitor their patients remotely, and provide more proactive care.
Due to the sensitive nature of patient medical information, as well as the increased risk if the devices or network to which they are connected is compromised, cybersecurity standards for medical devices have been developed by regulators in the U.S., Canada and the EU to ensure the security of devices and networks.
Medical device assessments are driven by regulators and suppliers. From a regulatory perspective, in the U.S. the Food & Drug Administration (FDA) outlines cybersecurity requirements. In the EU, there are the MDR, In Vitro Diagnostics Regulation (IVDR) and IMDRF Principles and Practices of Medical Device Cybersecurity.
In the U.S., the requirement is for the implementation of design, development, production, deployment and maintenance of regulated devices, resulting in a proactive view to cybersecurity. In Canada, the requirement is slightly different where the focus is on bill of materials (BOM) and lists of software. In Europe there is the Medical Device Regulation (MDR), which has a number of sets of principles. All have commonalities, but the best approach to compliance is to have one consistent method that addresses all compliance requirements.
The FDA approval in the U.S. process focuses on risk management and includes providing a product design review, risk analysis and verification and validation. If you are selling your product in the EU, the MDR process is similar to the FDA process, but risk is looked at a bit differently. In the EU regulators look to reduce risk in all operational modes to foresee the risk to ensure intended device performance and a high level of protection of health.
There are a number of reference standards that exist and help medical device manufacturers demonstrate compliance to the regulatory requirements, including UL 2900-2-1, IEC 62443 and NIST Framework:
- IEC 62443, which was originally created for connected power grids and data systems and industrial control systems, the requirements to ensure security of these systems do not differ significantly from what is required in a medical device. IEC is developing two new standards – 60601-4-5 and 80001-5-1 – specific to medical devices that are based on IEC 62443.
- ANSI/UL 2900 series of standards, of which ANSI/UL 2900-2-1 is specifically for medical devices, for the network and connectable components of healthcare and wellness systems. Devices built to this standard are best-in-class when it comes to security, if your product demonstrates this level of compliance, the FDA and MDR will accept the product, will exceed requirements from any regulator in the market.
It is best to reach out to the regulatory authority at the beginning stages of product development to determine what elements of the risk management process are most important to consider. However, while the wording of regulations can differ in each market, the testing is very consistent based on available standards. Intertek's cybersecurity experts have the knowledge to help you navigate the different regulatory requirements and standards for your connected medical devices.
Principal Software Security Analyst
Joe Dawson is a Principal Software Security Analyst for Intertek EWA-Canada based in St. John's, Newfoundland. Joe has more than 30 years' experience in Software Development, Data Communications, and Information Security, in both the public and private sectors. He currently sits on the Standards Technical Panels for all the UL 2900 family of standards and sits on one of the IEC 62443 standards committees.