In March of this year, the US FDA issued a new guidance on Cybersecurity in Medical Devices that set a deadline of 31 October 2023 for all new Medical Device submissions to be fully compliant with FDA’s requirements demonstrating cybersecurity compliance, for premarket submissions to be accepted. This marks the end of a more tolerant approach prior to that date, of working collaboratively with sponsors during submission review.
The US is a prime market for virtually all medical device manufacturers and is often the first jurisdiction targeted for regulatory approval. The announcement is forcing the hand of medical device designers and manufacturers globally to formalise their cybersecurity strategies for medical devices.
Currently there is a plethora of standards, regulations and guidance on cybersecurity from multiple jurisdictions globally. There are no harmonised cybersecurity standards for medical devices that are recognised by regulators, although they do recommend various medical and non-medical cybersecurity standards and technical reports for use as guidance. While having many of the same principles, these documents also often have specific requirements, making it difficult to discern the bottom line that needs to be adhered to satisfy everyone.
As a result, developers globally have been scrambling to check their cybersecurity techniques and associated documentation to ensure products submitted to FDA from November onwards do not run afoul of the FDA’s Refuse to Accept Policy.
In response, Genesys has conducted an exhaustive analysis of all the relevant standards and guidance, cross checking them against our current best practices. Below are some of our key findings that we are sharing in more detail with the NSW Active MedTech Community on 26 Sept 2023, to help our local ecosystem be globally competitive. See Active MedTech Uncorked – September Meeting.
As a base approach, we have determined the key standards that need to be adhered to, when targeting all of the key markets of Australia, the US and the EU. The key standards for these three jurisdictions (based on regulators’ guideline documents) are:
UL 2900 Software Cybersecurity for Network-Connectable Products including Part 1 on General Requirements and Part 2-1 on Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems
ANSI/ISA 62443-4-1 Security for industrial automation and control systems Part 4-1: Product security development life-cycle requirements
IEC 80001-1 Application of risk management for IT-networks incorporating medical devices – Part 1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software
AAMI TIR 57 Principles for medical device security - risk management
NIST SP 800-218 Secure Software Development Framework
Dissecting the detail of these and other standards yields a comprehensive checklist of cybersecurity considerations. Areas of analytical assessment include:
Safety impacts
Privacy considerations
Known vulnerabilities
Malware
Malformed inputs
Penetration testing
Software weaknesses
Source code
Binary and bytecode
Lifecycle considerations
Security considerations include:
Access control, user authentication and user authorisation
Remote communication
Software quality and coding standards
Cryptography
Sensitive data
Physical security
Human factors
Backup and disaster recovery
Emergency access
Logging and audit trails
Product management and software updates
On the back of this analysis, Genesys has revised the Cyber Security Compliance Manual in its QMS, and has upgraded its template documents for use in any particular product’s Design and Development File.
Complying with the key standards, and addressing the above dot points in accordance with a robust ISO 13485, ISO 14971 and IEC 62304 compliance regime, will ensure that regulatory submissions are credible in respect of cybersecurity compliance.
Our general approach is to ensure that any device we develop has a coherent cybersecurity architecture addressing a clearly defined attack surface. We identify potential vulnerabilities, relevant classes of threat actors and the type of attacks likely to come from each class. We then analyse the likely threat intensity of each attack vector and, using risk management techniques, assess the likelihood/impact of a determined attack.
It’s easy to feel overwhelmed by the challenge of cybersecurity. The sheer volume and density of technical detail in the above standards can be overwhelming for newcomers to the medical device industry. For help in addressing this challenge contact Genesys for more detailed advice on how your product can be in compliance and be cybersecure.
More Information:
Comments