Cyber Security and Medical Devices

As technology in our lives is becoming more and more important day by day, the cyber security issue is also underlined with bolder lines. Let's start with the definition of cyber security to deal with this issue...

Cyber security can be defined as the defence system developed against unauthorized access and malicious use of data kept and processed in digital systems connected to the internet. The purpose of cyber security is to develop a defense mechanism to protect the relevant infrastructure, data or services. The developed cyber security strategy provides a strong protection against malicious attacks. While digital systems make our lives easier day by day, increasing the sensitive and confidential data used by many programs/software also increases the importance of cyber security.

As developments in telehealth applications and software as a medical device (SaMD) increase, the cyber security of medical devices becomes a general security requirement. It is necessary to take precautions to ensure that any medical device containing software is not defenceless to cyber security threats and attacks as in other fields. In the medical device industry, health data has been the target of cyber attacks for a long time, due to patient information, product performance, or any kind of data that may come from different devices over the common network to which it is connected. Although the subject has been mentioned in medical device guidances before, in the not-too-distant past, in 2017, the WannaCry cyberattack against the NHS, which is one of the largest government-funded health systems in the UK, in fact, has shown how important it is for the health sector to develop defences against these attacks. These and similar cyber security threats have triggered the updating of the guidelines for medical device developers and manufacturers through medical device legislation.

The main issue addressed as a common topic in all guidances in fact, in the absence of cyber security, device functionality is compromised, data integrity is lost, or other connected devices or networks are exposed to security threats. Medical device manufacturers should develop a set of security controls to ensure cybersecurity from the design process to protect information confidentiality and integrity. Considering the cybersecurity issue during the design and development of the medical device will have a high impact on mitigating cybersecurity risks more strong and effective. They are expected to define and document the cyber security risk analysis and management plans from manufacturer as a part of risk analysis.

Although the published guides are not very new and different in terms of content, this is an important reminder to take cybersecurity seriously on your device software. You can review the table below for the relevant parts of some guidance and standards published on this subject. The authorities keep an eye on the medical device manufacturers regarding cyber security for compliance with both EU and US legislation.