On 7 January 2020, the EU Medical Device Coordination Group published new guidance to help manufacturers fulfil all relevant cybersecurity requirements in Annex I to the new Medical Device Regulations (Regulations 2017/745 on medical devices and 2017/746 on in vitro diagnostic medical devices) (the Guidelines).
Given that the medical device supply chain is complex, the Guidelines remind readers that the requirements of the Medical Device Regulations (MDRs) are only part of the regulatory cybersecurity picture, and further comment on the requirements and applicability of other legislation such as the Network and Information Security Directive (EU) 2016/1148 (the NIS Directive), the General Data Protection Regulation (EU) 2016/679 (GDPR) and the EU Cybersecurity Act, as well as noting that there is a Medical Device Cybersecurity Guide currently under development by the International Medical Device Regulators Forum.
The MDRs cover all medical devices that incorporate electronic programmable systems, as well as software which are medical devices. As well as setting out minimum IT security measures (including protection against unauthorised access), they require manufacturers to ensure that medical devices are designed and manufactured in such a way as to ensure that, during normal conditions of use, they are suitable for their intended purpose, are safe and effective, and ultimately, that any risks associated with their use are acceptable when compared to the benefit to the patient and compatible with a high level of protection of health and safety, taking into account the state of the art.
The Guidelines emphasise that risk assessment is key: ultimately, any risk associated with the operation of medical devices must ensure a high level of protection of health and safety to be acceptable, and accordingly, safety, security and effectiveness are critical and must be considered throughout the lifecycle. They also clearly explain which provisions of the MDRs apply at which stage of the product lifecycle, and expand upon various concepts such as IT Security (in particular, the concepts of confidentiality, integrity and availability), Information Security (defined by ENISA protection against theft, deletion or alteration of data) and Operation Security, explaining how to translate concepts into practical protections.
Clearly any failure in integrity of, or unauthorised access to, a medical device may result in risks to health and safety of patients utilising those devices. However, the Guidelines also emphasise the requirement for appropriate security: a lack of access to, or availability of data on, a medical device, may also create a risk to patients. They also highlight the responsibility of the various parties involved in, for example, integration of systems or devices, and of the operators of such devices, and the need to continuously review security measures to ensure that appropriate cybersecurity measures are in place at all times.
Although the Guidelines refer to the NIS Directive, and carry out detailed mapping of IT security requirements to NIS Directive Cooperation Group measures, it is worth noting that only Operators of Essential Services (OES) are subject to the NIS Directive, and that Member States define their own security measures for OES in the healthcare sector: the Cooperation Group measures are purely intended as guidelines for Member States and do not have regulatory force. That said, suppliers to OES should be aware that, particularly if the medical devices they provide connect into critical systems, these local requirements may need to be complied with, albeit indirectly, and there are likely to be contractual requirements to report cybersecurity incidents to the relevant customer to allow them to comply with their obligations under the NIS Directive (as implemented under local law).
Medical devices commonly collect and further process sensitive personal data, e.g. health information (whether or not this is linked to individuals by name). Under the GDPR and applicable national data protection law, a failure to have appropriate measures in place to protect this personal data may trigger reporting requirements, and lead to significant fines and/or other enforcement action, as well as actions from affected individuals. Being able to demonstrate that the Guidelines have been followed, and the MDRs complied with, is likely to greatly assist medical device manufacturers in demonstrating that they had appropriate security measures in place.
Overall the Guidelines provide a helpful practical guide as to the cyber security considerations that manufacturers of medical devices should be taking into account at all stages of the product lifecycle: not only to assist compliance with the MDRs, but also to flag other compliance regimes that may be relevant, and the key risks that should be considered.