Blog

IT Security in Healthcare

The regulatory requirements for security in the EU are growing. In an previous blog I presented a framework of standards to approach these requirements. In the MDR (EU) 2017/745 Annex I several requirements regarding interaction of a device with an IT-Environment are included in the General Safety and Performance Requirements:

  • 14.2: Remove risk between software and IT-Environment
  • 14.5: Make interoperability and compatibility reliable and safe
  • 17.2: Medical Device Software or devices including software shall be developed according state of the art, including information security
  • 17.4: Define requirements for hardware, IT network and IT security measures
  • 18.8: Protect devices against unauthorized access
  • 23.4 (ab) information in the instruction for use shall included hardware, IT network and IT security measures.

Below I will try to give an overview regulatory development in the area of IT security.

  • MDCG 2019-16: Recently the Medical Device Coordination Group (MDCG) has published guidance. Guidance on Cybersecurity for medical devices, December 2019. Such guidance is not legally binding, but Notified Bodies have to follow them. This means you as manufacturers need to follow them. Unfortunately, the guidance does not present a clear framework on how to approach the subject. it rather gives an overview of requirements and approaches that can also be found in other sources, such as:
    • ISO/IEC 80001-1 Application of Risk Management for IT networks Incorporating Medical Devices (Update expected Q1 2020)
    • IEC/TR 80001-2-2 Application of Risk Management for IT networks Incorporating Medical Devices Part 2-2: Guidance for the Disclosure and Communication of Medical Device Security Needs, Risks and Controls.
    • AAMI TIR 57 Principles for medical device security—Risk management

  • ISO 13485:2016: in clause 4.2 a new requirement related to protection of confidential health information Is included.

  • ISO 14971:2019: the scope of the latest version now specifically mentions risks related to data and systems security as an integral part of risk management, well explained by AAMI TIR 57. More guidance on risks related to security will be included in ISO/TR 24971, Medical devices - Guidance on the application of ISO 14971 (expected to be published in 2020).

  • IEC 60601-1 Ed. 3.1: in clause 14.6, Risk Management Process, the hazards for the lack of data security, including its effects on data privacy, and particularly vulnerability to tampering, unintended interaction with other programs and viruses and failure of the IT-network are addressed. 

    Within the IEC 60601/ISO 80601 series of standards for Medical Electrical Equipment, there is an interesting standard under development, IEC 60601-4-5, which I will address below.

    Developments:

  • Controls: 
    With respect to the implementation of security controls IEC TR 60601-4-5: Medical electrical equipment – Part 4-5 Guidance and interpretation – Safety related technical security specifications for medical devices is under development. The scope of the standard is IT security for medical devices, this includes software as a medical device. 
    As also explained in the AAMI TIR 57, a security risk control might affect safety and vice versa. The objective of IEC 60601-4-5 is to extend the implementation of Basic Safety and Essential Performance by defining minimum of necessary clinical functionality and the availability of the medical device.

    The standard defines security levels as controls for security risks and it normatively references to IEC 62443-4-2:2019 (Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components) and to the IEC 80001-1 family of standards.

  • Process: 
    With respect to the process side of things a process standard is under development: IEC 80001-5-1: Safety, security and effectiveness in the implementation and use of connected medical devices or connected health software. Part 5-1: Security - Activities in the product lifecycle, available as a draft.
    The scope of the standard is ‘Health Software’ that includes Software as Medical Device (SaMD) and software as part of a Medical Device. The standard specifies supplementary activities on top of the process that is defined by IEC 62304 manufacturers shall perform for information security.
    What the standard does is in precise alignment with the clauses of IEC 62304, add the activities and deliverablesfor security. For Instance, in clause of the Software Architectural Design (5.3) it can be read that the software architecture shall have a multiple layers of defense, and include functional security capabilities (Controls as we know them from IEC TR 60601-4-5 and IEC TR 80001-2-2).

    In the US, FDA published the following guidance for Cybersecurity to be applied in Premarket Submissions:

     

    Date

    Title

     

    10/18/2018

    Draft Guidance:

    Content of Premarket Submissions for Management of Cybersecurity in Medical Devices

    Provides recommendations to industry regarding cybersecurity device design, labeling, and documentation to be included in premarket submissions for devices with cybersecurity risk

    12/28/2016

    Final Guidance:

    Postmarket Management of Cybersecurity in Medical Devices

    Provides recommendations to industry for structured and comprehensive management of postmarket cybersecurity vulnerabilities for marketed and distributed medical devices throughout the product lifecycle

    1/14/2005

    Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software

    Many of networked medical devices incorporate off-the-shelf software that is vulnerable to cybersecurity threats. Vulnerabilities may represent a risk to the safe and effective operation of networked medical devices and typically require an ongoing maintenance effort throughout the product life cycle to assure an adequate degree of protection.


    Interesting to see that the draft version (10/18/2018) of Premarket Submissions for Management of Cybersecurity in Medical Devices FDA recommends adhering to the methods of the National Institute Standards and Technology (NIST) Framework. In the NIST framework the system security levels are defined by IEC 62443 series of standards. In the final version (10/2/2014) this was not so explicitly indicated.

    The International Medical Device Regulators Forum (IMDRF) published a guidance document Principles and Practices for Medical Device Cybersecurity, IMDRF/CYBER WG/N60FINAL:2020 on May 18, 2020. The suggested Framework of standards can be summarized as follows:

    • Risks Management: ISO 14971:2019; ISO/TR 24971:20xx; IEC 80001-1:2010; AAMI TIR 57:2016
    • Controls, Security Capabilities: IEC TR 80001-2-2 and others e.g. published by NIST


Can we see some trends in the approach to handle regulatory requirements for security, when looking at EU, FDA and IMDRF guidance?

  • For software life cycle development, the supplement of IEC 80001-5-1 to IEC 62304 looks promising.
  • For Risk Application ISO 14971:2019, ISO/TR 24971:20xx together with IEC 80001-1:2010 and AAMI TIR 57:2016 make up a nice set
  • For Controls implementation, I mentioned IEC TR 60601-4-5 and the NIST framework. Both implement Security Level by referencing to the IEC 62443 series of standards.

Just give us a call or drop a message to see how Qserve can support you in these times.

Jaap Noordmans

References

1.

ISO 14971:2019 Medical devices — Application of risk management to medical devices: Edition 2019-12.

2.

ISO/TR 24971: Medical devices — Guidance on the application of ISO 14971: Draft.

3.

IEC 80001-5-1: Safety, security and effectiveness in the implementation and use of connected medical devices or connected health software - Part 5-1: Security - Activities in the product lifecycle: ED 1.

4.

IEC 80001-1:2010 Application of risk management for IT-networks incorporating medical devices – Part 1: Roles, responsibilities and activities: Edition 1.0 2010-10.

5.

IEC 62443-4-2:2019 Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components: Edition 1.0 2019-02.

6.

IEC 60601-1:2005+A1:2012 Medical electrical equipment-Part 1: General requirements for basic safety and essential performance: Edition 3.1 2012-08.

7.

IEC/TR 80001-2-2:2012 Application of risk management for IT-networks incorporating medical devices – Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls: Edition 1.0 2012-07.

8.

IEC/TR 60601-4-5: Medical electrical equipment – Part 4-5 Guidance and interpretation – Safety related technical security specifications for medical devices is under development: ED 1.

9.

EN ISO 13485:2016 Medical devices - Quality management systems - Requirements for regulatory purposes (ISO 13485:2016,IDT): Edition 2016-03.

10.

AAMI TIR57:2016 Principles for medical device security—Risk management: Approved 5 June 2016.

11.

US Food and Drug Administration (FDA). Postmarket Management of Cybersecurity in Medical Devices. Guidance for Industry and Food and Drug Administration Staff: Document issued on December 28, 2016.

12.

US Food and Drug Administration (FDA). Guidance for Industry Cybersecurity for Networked Medical Devices Containing Off- the-Shelf ( OTS ) Software: Document issued on: January 14, 2005.

13.

US Food and Drug Administration (FDA). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Draft Guidance for Industry and Food and Drug Administration Staff: Document issued on October 18, 2018.

14.

IMDRF Medical Device Cybersecurity Working Group. Principles and Practices for Medical Device Cybersecurity: Date: 18 March 2020, IMDRF/CYBER WG/N60FINAL:2020 IMDRF.

15.

Medical Device Coordination Group. Guidande on Cybersecurity for medical devices: MDCG 2019-16.


Veröffentlicht am:: April 30, 2020
Tags
Haben Sie Fragen oder benötigen Sie weitere Informationen? Kontaktieren Sie uns. Wir freuen uns auf Ihre Anfrage. Kontaktformular