Society is becoming increasingly digitalized, which in itself poses risks. Especially in relation to cybersecurity. Basic pillars of society such as energy, transport, water, banking and financial market structures need to be secured. This also applies to healthcare and all our digital infrastructure. All these sectors are crucial to our economy and society, as they all rely on functioning and secure information and communication technologies. The right technology, which complies with applicable laws and regulations, can protect critical functions and reduce the risk of cyber attacks.
Impact of the NIS2 directive on medical device manufacturers
The NIS2 Directive entered into force in 2023 with the aim of raising the overall level of cybersecurity in the EU. The legislation is a reaction to the increased digitization and the escalating threats in cybersecurity. So what does this mean for you as a manufacturer of medical devices and what measures will be required?
One of the cornerstones of the Medical Device Regulation (MDR) and In Vitro Device Regulation (IVDR) is the so-called General Safety and Performance Requirements (GSPR). The most common way to demonstrate compliance with these GSPR requirements in the regulation is to use so-called "harmonized standards" and also the Guide Documents issued by the European Commission. The purpose of the guidance documents is to communicate the current interpretation of how the regulations should be applied.
Standards in practice - what applies?
When it comes to cybersecurity, the guide MDCG 2019-16 Rev 1 (Guidance on cybersecurity for medical devices) provides guidance on which GSPR requirements are indirectly affected by the cybersecurity requirements. The guide provides good general information, but lacks concrete conclusions on which standards can be used to demonstrate compliance. MDCG2019-16 Rev 1 refers to about 20 cyber-related standards, many of which are overlapping. So which standards should you use? There is no simple answer to this question as it is currently a bit unclear exactly what applies to the standards.
As a manufacturer of medical devices, IEC 81001-5-1 (Health software and Health IT systems safety, effectiveness and security; Security, activities in the product life cycle) is often the standard you start from and also the standard that the Notified Body requests as part of the technical documentation for the manufacturer's CE marking. Interestingly, this particular standard is not yet mentioned in MDCG 2019-16 Rev 1, but it is planned to be harmonized with MDR/IVDR in May 2024. In other words, there is a certain delay in the process of regulations and standards, so it is important to be informed.
What is the first step?
Threat modeling for your system or product is a good first step. It is a way of identifying and documenting the current threat landscape and possible attack paths into the product/system. This then forms the basis for further work on cyber-related risks. Once existing threats have been identified, protection can be implemented in the form of In-depth-Design, authentication, monitoring and more to protect sensitive data. Note that it may not always be your product that is the primary target for a hacker, but it may also be the access to a hospital's IT system, via your product, that is the ultimate goal. For example, the overall aim could be to shut down or lock down parts of a hospital, and then demand money to unlock it, known as ransomware.
Cybersecurity and IEC 62304 Software lifecycle processes
One of the major advantages of IEC 81001-5-1 is that it is harmonized with IEC 62304 (Software lifecycle processes) for software development. In other words, it is relatively easy to weave in additional requirements around your software development processes linked to cybersecurity. The biggest additions concern the software architecture and 'Secure design' where you design your software in such a way that it is more difficult for unauthorized persons to gain access to sensitive information or parts of the system. When it comes to software testing, some tests are added such as THREAT mitigation testing, VULNERABILITY testing and so-called Penetration testing.
Security risk management process
Managing risks related to cybersecurity requires a slightly different mindset than when dealing with more traditional patient and operator risks. Here, the threat itself comes from the outside instead and is not necessarily about your product, but can be more about where it is used in an IT system. IEC 81001-5-1 includesan alternative risk process for managing these types of threats, called the 'Security Risk Management Process' where you identify vulnerabilities, external threats and the consequences these may have. Here it is important not only to look at your product in isolation, but also to include where and how it will be installed in a larger context, i.e. the entire IT structure.
Aftermarket analysis
Another important part of cybersecurity thinking is to have extended controls in your post-market analysis (Post Market Surveillance) as external threats are continuously modified. For example, there may be new types of cyber threats, new approaches, new methods, etc. that need to be addressed in your product. Thus, there may be new requirements and risk mitigations that must be implemented in your product due to external circumstances.
Finally, to think about
It is important to remember that cybersecurity is not just about your product and its security. NIS2 is about protecting our critical national systems, such as banking and healthcare, and your product plays an important role in this.
Does your company manufacture medical devices? Then you are probably aware of the increased requirements with the entry of the NIS2 directive. If you have a need for threat modeling, GAP analysis for cyber, extending existing SW or anything else on the subject, you are welcome to contact one of our experts.
Pst! Keep yourself constantly updated by having a good knowledge of current standards and guidance documents.
Standards:
- IEC 62304 (Software lifecycle processes)
- IEC 81001-5-1 (Health software and Health IT systems safety, effectiveness and security; Security, activities in the product life cycle)
Guide document:
- MDCG 2019-16 Rev 1 (Guidance on cybersecurity for medical devices)
