Cybersecurity Requirements for Medical Devices

On September 26, 2023, The Food and Drug Administration (FDA) released their finalized Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions guidance document. This document provides general principles for device cybersecurity relevant to device manufacturers. It seeks to emphasize the importance of safeguarding medical devices throughout a product's life cycle. The guidelines are going beyond security risk management and cybersecurity testing; the guidance recommends that device manufacturers leverage security controls to achieve the outlined security objectives:

• Authenticity, which includes integrity;
• Authorization;
• Availability;
• Confidentiality; and
• Secure and timely updatability and patchability.

It is expected that the premarket submissions would include information that describes how the above security objectives are addressed by and integrated into the device design.

The FDA guidelines clearly state that:
“While software development and cybersecurity are closely related disciplines, cybersecurity controls require testing beyond standard software verification and validation activities to demonstrate the effectiveness of the controls in a proper security context to therefore demonstrate that the device has a reasonable assurance of safety and effectiveness.”

It is indeed expected that the security testing documentation should be submitted in the premarket submission and include:

• Verification of the implemented security requirements
• Effectiveness and adequacy of each cybersecurity risk control
• Vulnerability testing, and
• Penetration testing

Medical device security plays a crucial role in safeguarding people using these products and solutions as well as the healthcare organization. Specification of security requirements and provision of guidance to device manufacturers is welcome and very useful. However, it is important to have in mind that most medical devices are used in various geographic regions and must comply with multiple national regulations. FDA regulates medical devices in the U.S., whereas the European Medical Device Regulation (MDR) (EU) 2017/745 that entered into force in 2021 is applicable to any manufacturer seeking to market their medical devices in Europe. Therefore, harmonization of standards and requirements is very much welcome by the device manufacturers. On the other hand, there are initiatives to establish global standards and global certification schemes to assess cybersecurity of the medical devices. 

The Institute of Electrical and Electronics Engineers (IEEE) has established a Medical Cybersecurity Certification Program that has been developed by the IEEE 2621 Conformity Assessment Committee (CAC), composed of stakeholders such as manufacturers, clinicians, FDA, test laboratories, cybersecurity solutions providers, and industry associations from around the world. The IEEE certification program is already applied to diabetes medical devices, and it will be extended to other devices. It provides:

• Insights and adherence based on global, consensus-based industry standards
• Knowledge of FDA submission criteria
• Adherence to best practices
• Identifying ways to mitigate cyber attacks

atsec is proud to be recognized as the first IEEE-recognized testing laboratory with a primary location in Stockholm, Sweden, and secondary locations in Munich, Germany, and Austin, Texas, U.S. The very first IEEE 2621 assessments of the medical devices are ongoing and planned to be finalized in Q4 2023.

“Over the years, atsec has been closely monitoring the development of security requirements in the medical device industry. When approached to become a lab for IEEE 2621, we enthusiastically. embraced the opportunity”,  said Salvatore La Petra, President and Co-Founder of atsec information security.

If you are interested in performing evaluation of your medical device or have any questions regarding our evaluation services, please do not hesitate to contact us (info@atsec.com). We look forward to working with you.

IEEE corporate advisory group (CAG) members visiting atsec AB in Stockholm, Sweden, earlier in 2023.