Medical Electronics
Ensuring the cybersecurity of medical devices
Joe Lomako, business development manager (IoT) at TÜV SÜD F
ew innovations in recent memory have done more to transform healthcare than the use of connected technologies. However, the expanding use of connected technologies in the delivery of healthcare services also introduces a number of potentially significant cybersecurity risks. With the anticipated growth in the deployment and use of connected medical devices, the number of cyberattacks is only likely to increase.
Amidst this growing threat landscape, regulators in major jurisdictions are increasingly aware of the need to provide the industry with clearer and more direct regulations and guidance on developing connected medical devices that can help secure them from the most likely cyber threats. However, while there are a number of industry-accepted standards available that are applicable to cybersecurity issues in general, medical device manufacturers have lacked a life cycle standard that directly addresses the issue of cybersecurity as it impacts connected medical devices. The absence of a dedicated standard has held back efforts to deploy common strategies to protect advanced connected medical technologies from current and future cybersecurity concerns.
To fill this critical void, the International Electrotechnical Commission (IEC) has developed a new standard focused exclusively on cybersecurity issues impacting software used in connected health technologies. This includes medical devices, and consumer-oriented health products and applications. Released in December 2021 after more than three years of discussions and deliberations, IEC 81001-5-1 is an important supplement to IEC 62304, “Medical device software – Software life cycle processes”, which establishes a common framework for the life cycle processes related to medical device software.
16 May 2023
Specifically, IEC 81001-5-1 addresses security issues related to all types of “health software,” which is defined in the standard as: “Software intended to be used specifically for managing, maintaining, or improving the health of individual persons, or the delivery of care, or which has been developed for the purposes of being incorporated into a medical device.” As this definition clearly confirms, the broader scope of “health software” includes not just manufacturers of medical devices but also software developers, whose products and applications are used in a variety of health-related systems and devices, as well as software as a medical device (SaMD) and software-only products intended for health-related uses. IEC 81001-5-1 also covers the entire product life cycle of health software, from product development through post-market use and monitoring. For this reason, the standard also recognises the critical role of healthcare delivery organisations in maintaining effective cybersecurity practices, emphasising the importance of bilateral communications between device
Components in Electronics
manufacturers and software developers, as well as those responsible for the actual use of connected devices.
Like other process-related standards, IEC 81001-5-1 details the activities to be undertaken by the manufacturer or software developer as part of the overall product development life cycle to help ensure protection against cyberthreats. Specific activities are described in clause four through to nine of the standard, as follows: Clause 4 - General requirements Clause 5 - Software development process Clause 6 – Software maintenance process Clause 7 – Security risk management process Clause 8 – Software configuration process Clause 9 – Software problem resolution process
IEC 81001-5-1 also includes several informative Annexes that can help manufacturers and developers meet the requirements of the standard. Annex B provides guidance on the implementation of life cycle activities to help ensure the security of health software. Annex C provides a detailed discussion of the threat
modelling, a systematic approach for analysing the security of a device or an application to facilitate the identification and prioritisation of potential security threats. It also offers details on a number of approaches that can be used to develop an accurate threat model. IEC 81001-5-1 is expected to be designated by the EU Commission as a harmonised standard under the MDR with an anticipated effective date in May 2024. The standard is also likely to be recognised by the U.S. FCC as a “consensus standard” that can be used in support of submissions for 510(k) and PMA review. But, regardless of the standard’s actual effective date, connected device manufacturers and developers of health software can gain significant benefits from meeting the requirements of ISO 81000-5-1 in current and future product designs. In today’s highly connected world, cyberattacks against critical systems and equipment are becoming an all-too- frequent occurrence. Quality healthcare depends on secure access to advanced medical technologies that use software and communications protocols to actively exchange vital patient information with other medical systems and devices. Cyber breaches impacting medical devices not only put the safety of individual patients at risk, but also severely compromises the quality of healthcare for people worldwide. The growing cyber threat landscape for connected medical devices therefore requires that device manufacturers and software developers take a proactive approach in designing their products to minimise the risk of potential cybersecurity vulnerabilities. IEC 81001-5-1 provides a detailed roadmap that manufacturers and developers can adopt, thereby helping to ensure the safety and security of their products through the entire lifecycle.
www.tuvsud.com/en-gb/industries/ healthcare-and-medical-devices
www.cieonline.co.uk.uk
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66
