How to make medical devices cyber-safe?

Ten years ago, connectivity was a word rarely associated with a medical device. For safety and security reasons, the devices were used in isolation and the maintenance people travelled long distances to inspect any malfunction of the device on-site. The growing interest towards different health appliances in the consumer market together with the megatrend of getting each appliance connected to a cloud has slowly driven a change among the medical device manufacturers. During the past 5 years, we have seen more and more of increased connectivity within this domain and multiple examples of medical devices that only consist of a software (web/mobile) application.

Is there official guidance for cyber safety of medical devices?

The authorities have slowly followed the trends by updating the medical device specific legislation. In parallel, the European Union has established their own regulative framework with industry specific standards. Now the MDR (Medical Device Regulation in EU) that replaced the MDD (EU Medical Device Directive) in 2017 treats the software applications as medical devices, if they are used for any analysis or diagnostics purposes. For the first time, the concept of cyber security is also an important part of the requirements for medical device manufacturers. Yet the official guidance to cover this topic is still somewhat confusing and forces the device manufacturers to build up their own understanding and supportive processes for keeping their R&D and sales operations ongoing.

It is crucial to understand both cyber security and functional safety

Many times cyber security and functional safety are handled separately. This usually causes duplicate work — or even worse, looking at the cyber security requirements for the first time when you are already far in the product design and development. These issues can be avoided if digital security and functional safety are analyzed at the same time combining the knowledge from both areas in the concept of cyber safety. The understanding of what these areas have in common allows to leverage a parallel handling to cover both instead of doing them separately.

Since medical industry domain still lacks precise security guidelines, the concept of cyber safety for this industry domain means applying the well known cyber security standards such as EN ISO 27001 (Information security management system) together with selected medical domain standards like EN ISO 14971 (Medical devices – Application of risk management to medical devices) to make the medical devices cyber-safe.

After all, on a technical level, the medical device is not different from any connected device in what it comes to cyber security threats. What is important to notice are the additional domain specific requirements to ensure safety of the patient and the device users. This means, that any mitigation of a cyber security risk needs to be verified with regard to safety. A life supporting device cannot be shut down even if it has been hacked; neither can the device access control prevent the hospital personnel from acting in the case of an emergency. It is important to understand the special needs of the medical domain combined with knowledge on both cyber security and functional safety when making medical devices cyber-safe without compromising their safety and usability.

Text: Laura Nummila