First Guideline on cybersecurity of medical devices incorporating software (MDIS)

Becoming increasingly important also for the med tech sector in view of the technical advancement, cybersecurity aims at incorporating measures, both technical and organisational, that will allow integrity and availability of a medical device and integrity of data it holds.

The French competent authority can thus be commended to be the first to extensively address cybersecurity issues of MDIS in its newly published draft Guideline.

43-page long document aims at providing recommendations to manufacturers to reach minimum acceptable level of risk of attacks against their medical devices introduced on the EU market.

The Guideline firstly presents the regulatory basis that manufacturers shall respect and take as a basis, i.e. Annex I and Annex II of the new European regulatory framework – MDR and IVDR, while referring to the GDPR (General Data Protection Regulation), and ‘’enhanced’’ Quality Management System (ISO 13485:2016) with elements of:

        • Identification of assets to be protected (for ex. Patient data);
        • Definition of security objective for those assets (for ex. Integrity and Confidentiality);
        • Security functions to reach the objective (for ex. Block Encryption, Collection of only essential data);

The document is divided into 5 key areas – following the life cycle of a medical device, i.e. design, development, first use, monitoring, end of life arising from the risk analysis. It focuses on the security and not safety of MDIS, while differentiating between accidental and intentional faults, i.e. malicious intent. Here below, we present main aspects of the general recommendations to  manufacturers developing a MDIS.

  1. Software DESIGN activity
  • General provisions (risk analysis is the base to justify all measures to ensure protection of MD)
  • Define the context of use (health institution/home)
  • Access control (users permissions, such as fingerprint for a hardware – chip)
  • Authentication management
  • Hosting (data security)
  • Environment of use (for secure operation of MIDS)
  • MIDS connected to a network (special considerations)
  • Physical security (Physical access)
  • Traceability and logs (tracking)
  • Self-monitoring function of MIDS (to detect attacks) and fail-safe mode (when attack is detected to recover data)
  1. MD software DEVELOPMENT activity
  • Programming language
  • Validation methods (expected software functions)
  • Secure start-up and integrity memories (versions)
  • MD self-test mechanism
  • Documentation (covering technical properties)
  • Software verification methods and tools
  • Production launch checklist
  1. FIRST USE
  • Configuration
  • Integrity checks
  • Training to users
  1. MONITORING (proactive activity due to advancements of technology)
  • Create vulnerability registration system
  • Report to the Competent Authority
  • Maintenance by authorized personnel
  • Action plan in case of attempted attack
  1. END OF LIFE
  • Managing data in case whole or part of device ends life-cycle
  • Operating systems (plan from design phase for ex. Windows XP becomes obsolete)

On page 40 of the Guideline, you can find comprehensibly presented – per columns  – Risk analysis, Vulnerabilities, Recommendations, Examples References.

We will keep you informed how will the public consultation, open until end of September 2019, influence the presented Guideline.

Leave a Reply

Your email address will not be published.