search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
SPOTLIGHT Medical Cybersecurityy


The new healthcare hazard:


cybersecurity


By Richard Poate, Senior Manager at TÜV SÜD, a global product testing and certification organisation


T


he Internet of Medical Things (IoMT) is transforming healthcare. But, as medical devices become more connected they also become more vulnerable to cyberattack, exposing the people who use them to previously non-existent hazards. Hence, all digital healthcare and medical devices must be thoroughly tested and secure. This includes compliance with global regulatory requirements, such as the In Vitro Diagnostic Medical Device Regulation (IVDR), the In Vitro Diagnostic Medical Device Directive (IVDD), the Medical Device Regulation (MDR) in the EU, as well as the regional requirements of the US FDA, China FDA and the Japan Ministry of Health and Welfare.


Regulations and standards Yet, there are still no harmonised standards for cybersecurity of medical devices. The FDA, EU and Health Canada are working on standards and guidance documents that will indicate the need to consider vulnerability scans and penetration tests during the development of medical devices. There are also some existing documents that are applicable, including: • IEC/TR 60601-4-5 – Safety-related technical security specifi cations for medical devices (under development);


• IEC 80001-5-1 – Application of risk management for IT networks incorporating medical devices (under development);


• UL 2900-2-1 – The USA Food & Drug Administration’s cybersecurity aid for industry and regulators.


The EU’s MDCG 2019-16 – Guidance on Cybersecurity for medical devices – is one of the most important guidelines for MDR implementation. This document provides manufacturers with guidance on how to fulfi l all the relevant essential requirements of Annex I to the MDR and IVDR regarding cybersecurity. These two regulations require that devices are fi t for the new technological challenges linked to cybersecurity risks, with new essential safety requirements for all medical devices that incorporate electronic,


34 November 2020 | Automation


programmable systems and software that is a medical device in itself. Manufacturers are now also required to develop and manufacture their products in accordance with the state-of-the-art, taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access.


Cybersecurity requirements Cybersecurity requirements listed in Annex I of the MDR include some key concepts involved in IT security specifi cally for medical devices, like: • Confi dentiality of information at rest and in transit;


• Integrity, necessary to ensure information authenticity and accuracy (i.e. non- repudiation); and


• Availability of the processes, devices, data and connected systems. When assessing risks in accordance with Annex I of the MDR, it is important to include security issues in the risk assessment, even in cases where security is not stated explicitly in the regulations’ requirements. During the risk- management process, the manufacturer should foresee or evaluate the potential exploitation of those security vulnerabilities that may be a result of reasonably foreseeable misuse. Hence, manufacturers must distinguish two important areas: • Safety risk management normally covered in the overall product risk management; and


• Security risk, which is not associated to safety. Section 3.7 of the MDCG states that the primary means of security verifi cation and validation is testing. Therefore, cybersecurity must be based on a well-structured develop- ment and testing process. For example, after any software changes, a vulnerability scan or penetration test should be repeated, at least partly.


Manufacturers must also consider security- related tests regarding the change, as well as


Photo credit: Natanael Melchor for Unsplash


conduct regression tests which show that the change did not have a negative eff ect on the cybersecurity of the device. Manufacturers must prove due dilligence – that they have taken appropriate actions to bring safe products onto the market. They can conduct their own tests, but they must have the appropriate competences within the organisation. They must, therefore, ensure and demonstrate that they have enough expertise to guarantee IT security in line with the state-of- the-art.


Patient care


Digitisation and increasing connectivity deliver enormous opportunities such as increased effi ciencies and unmatched fl exibility, enabling real-time data access for medical practitioners to improve patient care. As medical devices become increasingly integrated, the healthcare business will be transformed. Medical professionals have a whole new world of data at their fi ngertips, while patients can be monitored from home, potentially making routine checkups a thing of the past. This is changing healthcare as we know it, but it also exposes the people who use connected devices to hazards that did not previously exist, since unforeseeable risks and serious vulnerabilities can be exploited by new forms of cybercrime. While the IoMT presents powerful opportunities for device manufacturers to develop new competitive advantages, they must be fully prepared to address the risks inherent in digitisation. It is therefore vital that manufacturers ensure up-to-date compliance with all required standards and constantly review the ‘cyber resistance’ status of devices. Ongoing investment in cybersecurity is crucial to keep up with both technological developments for competitive advantage and eff ective measures to combat cyberattacks.


CONTACT:


TÜV SÜD www.tuv-sud.co.uk


automationmagazine.co.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46