Consider Cybersecurity Early When Developing Your Medical Device Design

Three Important Questions to Ask:

  1. Will this Medical Device be connected to a network?
  2. How would a breach of this Medical Device affect patient safety along with corporate negative publicity?
  3. What role will labeling play in the overall security of this Medical Device?

The answers to these questions should be well-thought out, reviewed, and have corporate approval prior to starting a new Medical Device project.

  1. The choice of connection to a network for any Medical Device will significantly impact the effort associated with the design and test of the device.
    • The decision to isolate the Medical Device from any type of network (either wired or wireless) will still have Cybersecurity risks that must be addressed in a formal assessment. The recommended FDA consensus standard that is most frequently used in this assessment is AAMI TIR57:2016 Principles for medical device security – Risk assessment. Purchasing this standard is essential for providing documentation to the FDA to address the Cybersecurity content of the Medical Device under consideration for approval. The requirements for testing these devices will only require thorough testing of device performance, Off-The-Shelf software (if used), static and dynamic code analysis, robustness testing, and boundary analysis.
    • The decision to network the Medical Device will have Cybersecurity risks that are far more numerous and complex than a non-networked Medical Device. TIR57 will be used to document the risk assessment once again but will point to several network-related requirements that will require rigorous testing to ensure the device is secure. The same requirements for testing as mentioned in part a. above will apply. However, the additional testing that is required includes vulnerability scanning, penetration testing, and outside (third party) testing. These tests will need to be thorough to provide the evidence necessary to demonstrate that the Medical Device will not be vulnerable to malicious attacks from remote threats. In addition, the FDA is emphasizing the use of labeling in device manufacture in its latest premarket guidance (see item 3 below).
  2. The impact of a breach of the Medical Device should be weighed when examining the Cybersecurity of the device.
    • Patient safety – This is obviously the most critical component of Medical Device design. The three Medical Device classes (I, II, and III) certainly will determine the relative importance of safety that each device must have in its design. An electric toothbrush is an example of a Class I Medical Device. There are only a handful of design decisions that will be required to help ensure patient safety (e.g. electrical shock prevention). An insulin pump is typically an example of a Class II Medical Device. The design decisions for this class of device could double or triple those of a Class I Medical Device (e.g. how to design mitigations for over or under dosing of insulin). An Implantable Cardioverter-Defibrillator (ICD) is an example of a Class III Medical Device. The design decisions for this class of device would likely double those of a Class II Medical Device (e.g. failure of the device in any way could result in patient death). The maintenance of Essential Performance of a Class III Medical Device is critical to patient safety and so the device software integrity must be of the highest degree. Any malicious Cybersecurity attack that results in loss of Essential Performance and the result of even one patient death would likely have catastrophic impact on the Medical Device manufacturer. Development of ICD software would include complete testing of the code to the lowest level of logic along with all other aspects of development per IEC 62304:2015 Medical device software – Software lifecycle processes, such as configuration management. Software updates, typically wireless transfer, must also be highly secure to prevent malicious attacks from ‘sniffers’ that may alter the behavior of the software following the update.
    • Corporate image – when examining the effect of a breach for a Medical Device, the impact could be devastating (even to the extent of dissolution) to the business. It stands to reason that smaller medical device companies would be less likely to be the target of a malicious attack from a remote threat. But smaller companies will have less resources to not only combat an attack, the loss of its main source of income could lead to bankruptcy. Larger Medical Device companies have more exposure to malicious attacks due to multiple product offerings and are typically well-known in terms of name recognition. These companies may also have their own legal department (or contracts with outside law firms) that will help in the handling of potential law suits from patients that may have been injured by the breach. Their personal information may also be a part of damages incurred by the breach. Overall, even if patient safety has not been compromised, just the identification of an exploitable vulnerability (even if exposed by a neutral party like a university) could have long lasting implications on the image of the business entity.
  3. Labeling for Security
    In the FDA’s most recent Guidance draft of Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, an entire section (VI. Labeling Recommendations for Devices with Cybersecurity Risks) has been devoted to providing guidance in an area that has traditionally been delegated to the ‘least desirable’ means of risk mitigation. TIR57, mentioned previously, does not address labeling in any significant way. In fact, the document is somewhat conservative in its handling of labeling in general. There is mention of the difficulty of determining what information to communicate to the user to help manage any residual risk without providing a blueprint for an attacker to exploit the vulnerability that has not been mitigated. The new FDA guidance takes a much more proactive stance about the merits of labeling recommendations for communicating relevant security to the end users. The guidance implies that proper labeling may help manufacturers ensure a device remains safe and effective throughout its life cycle. The FDA has various regulations for device labeling that are mentioned in the guidance. The guidance suggests that informing end users of relevant security information can be an effective way to comply with the various labeling requirements. Conveying security information through labeling may be an important part of QSR design controls. The guidance then lists the recommended labeling for communicating to end users the relevant security information. The guidance list is comprised of fourteen different suggestions of the areas of labeling to give strong consideration for inclusion in the submission. An examination of the content of these suggestions/recommendations indicates an emphasis on those devices that are networked in some capacity. This article is submitted by Design Solutions Inc.,  a proud MDRG member.

“For your design engineering needs contact Design Solutions.”

Contact: Larry Marko, Senior Engineering Manager
Email: larry.marko@design-solutions.com

Fighting the public health threat of counterfeit medicaments