Smart medical cybersecurity legislations promulgated - How should medical device manufacturers deploy?

2022 / 08 / 17

In recent years, the epidemic has acted as a catalyst to accelerate the digital transformation of many fields, and smart medical care is one example. However, it cannot be denied that digital transformation is like a double-edged sword. It benefits the country and the people, but it also expands the scope of cyber attacks, allowing hackers to take advantage. In view of this, a number of regulations have been released one after another, such as the US FDA, EU MDR/MDCG, etc. The regulations put forward cybersecurity requirements for medical devices, which must be tested and verified before they are allowed to be marketed. These regulations are a great challenge for most medical device developers or manufacturers.

Zhan Yingqi, compliance planner of Onward Security, said that many medical device manufacturers are currently concerned about what conditions they need to meet in order to sell their products to the United States and the European Union in the future? It is mainly divided into three parts. The first is the "pre-market application". The applicable regulations are FDA 510K or PMA in the United States, and MDR in the European Union.

The second is the "cybersecurity requirements". The documents required for reference are "Content of Premarket Submissions for Management of Cybersecurity in Medical Device" for products sold to the United States, and MDCG-2019-16 for products sold to the EU. The third is the "document examination authority". The United States is the OPEQ under the FDA, and the European Union performs the examination through the designated Notified Body (NB).

Introduce the concept of security at the beginning of the design

Taking the United States as an example, if the pre-market application process is initiated, the product grade should be determined at the beginning, and then the substantially equivalent products should be found. The next step is to identify FDA-specific guidelines and accreditation standards in order to prepare the content of the document and organize it according to the logical sequence of the prescribed document format.

As for the EU, its process is similar to the United States, but the content is relatively strict. It requires registration of organizational role, medical device and UDI, and covers post-market management.

Regarding the US FDA and EU MDR/MDCG regulations, Onward Security can act as an assistant for cybersecurity compliance. Zhan Yingqi said that now is an era that requires security from the source, and medical devices also emphasize the principle of security development. Its development process is divided into several stages.

  1. Security design: A complete security concept should be brought in from the moment a need is generated or the design direction is conceived, including communication security, data protection, authorization and verification, software maintenance, physical external interfaces, device reliability and availability, etc;
  2. Risk management: Standards such as ISO 14971, Thread Model, NIST CSF should be referenced;
  3. Verification and testing: Confirm whether the developed product meets the original expectations , verify its applicability, and perform software and hardware validation;
  4. Incident response: The focus is on monitoring related vulnerabilities based on the composition of the SBOM, and monitoring and tracking the third-party open source software or libraries.

Not only attach importance to personal information protection, but also attach importance to continuous supervision

Several security requirements must be met when a product is sent to FDA for review. First of all, FDA requires products designed to be reliable and security. That is to say, the product must be defensive in the event of a cybersecurity threat or penetration; and perform its intended function under any circumstances.

Secondly, it expects manufacturers to process data through certificates or encryption. The device is required to provide logs and cybersecurity incident detection records. Manufacturers also need to explain whether they have regular patches or updates, and whether they have the ability to deal with DDoS and other cyber attacks.

As for the EU MDR, it uses "Appendix 1" to express cybersecurity regulations. Unlike MDCG-2019-16, Appendix 1 is a conceptual statement that only suggests directions, while 2019-16 is an implementation suggestion. Therefore, manufacturers should refer to each other's content before submitting a product listing application.

An overview of the key contents of Appendix 1 is to describe the goals that manufacturers are expected to achieve one by one for items such as IT security, operational security, cybersecurity, risk control and reduction, security design, verification and testing.

It is worth mentioning that MDR not only attaches importance to cybersecurity, but also expects that manufacturers have integrated and continuous cybersecurity management and control measures. For example, manufacturers are expected to pay attention to the protection of personal information. If the product uses a similar health insurance database for research or some clinical studies, it is necessary to comprehensively consider the security of the relevant data. For after-sales products, cybersecurity management measures need to establish relevant vulnerability monitoring and update mechanisms, as well as continuous improvement procedures and practices. In short, the EU believes that the operational security and cybersecurity of products cannot be decoupled and should be considered together. In other words, Safety and Security must be considered comprehensively before and after sales.

Risk assessment through threat modeling and other methods

How does Onward Security help customers achieve their compliance goals? Zhan Yingqi pointed out that firstly, we will provide consulting services for security design, risk management, and incident response in the security development stage. Onward Security will compare the customer's documents, structures and operating methods with regulations to generate gap analysis results.

The second is to carry out risk assessment, which mainly uses Thread Modeling, two-way retrospective analysis and other methods to understand the customer's software update status, as well as determining whether integrated control has been implemented. The first step is to confirm which key assets are included in the product, and use threat modeling to analyze vulnerabilities. The next step after completion is to send the product for testing to confirm whether the expected cybersecurity risk is improved. After the test is completed, the risks will be scored (i.e. residual risks), and the subsequent means of improving or controlling these residual risks will be discussed with the customer. Another focus is the two-way retrospective analysis. It mainly uses the customer's development design documents and test documents to understand whether the product development process meets the regulatory requirements, and to confirm whether the device cybersecurity has been implemented. In the end, Onward Security will give suggestions on software integration control and environmental control.

In addition to consulting services, Onward Security also provides technical testing services to confirm whether the products meet the cybersecurity compliance claimed by customers. Technical testing provides FDA/MDCG medical device cybersecurity technical testing services, covering performance testing (e.g. whether the external connection of the device has been controlled), third-party applications (e.g. Mobile App, Cloud, etc.) or package security testing (creating a bill of materials including device OS, applications, packages, etc.), static and dynamic analysis (providing source code detection, penetration testing, fuzzing, etc.). After the test is completed, a report will be issued, which includes high/medium/low levels of risk vulnerabilities and patching suggestions, as well as overall compliance with FDA and MDR cybersecurity requirements.

The whole process takes about 4 months, from kick-off, risk analysis and assessment, product initial testing, vulnerability repair and retesting to closing the project. Onward Security has assisted a number of enterprise products to comply with FDA, TFDA, ETSI EN 303645 and other cybersecurity standards and pass the verification and testing, including implantable pacemaker, glucose testing system, health bracelet, wireless stethoscope, non-contact care system and blood glucose meter. With the assistance of Onward Security's professional consultants and technical testing team, customers can more easily and quickly pass the requirements of medical cybersecurity regulations in Europe, the United States, and Taiwan, so that products can be successfully marketed in these regions.

How should medical device manufacturers deploy?