“Cyber security readiness is no longer an option but is now mandated by medical device regulatory bodies driven by the U.S., E.U., and the IMDRF (International Medical Device Regulators Forum).”

TUV Rheinland’s Asia Pacific (APAC) head of Cyber Security services, Shotaro Kaida, spoke  to Korea Biomedical Review about the need for cyber security in medical devices .
TUV Rheinland’s Asia Pacific (APAC) head of Cyber Security services, Shotaro Kaida, spoke  to Korea Biomedical Review about the need for cyber security in medical devices .

So said a cyber security expert in an interview with Korea Biomedical Review on the side-lines of KIMES 2023.

As Korea boasts advanced technologies and connected health systems within its tertiary care system, medical devices are susceptible to cyber-attacks.

TUV Rheinland’s Asia Pacific (APAC) head of Cyber Security services, Shotaro Kaida, spoke about cyber security in medical devices.

TUV Rheinland is headquartered in Germany with offices globally and in Asia like Japan and Korea. They are a third-party testing provider performing testing, inspection, and certification services.

Medical device vulnerabilities

Stressing the importance of medical devices, he highlighted the impacts of cyber threats in the medical field, such as leaked patient information which can indirectly interfere with life-saving equipment like extracorporeal membrane oxygenation (ECMO), even if for just 10 minutes.

“Cybersecurity impact depends on the characteristics, function, and usage of the device. It can have a big impact on some equipment and less on others so you need to pay attention to the device you are developing and consider the impact it can have if cyber security is breached,” explained Kaida.

He drew specific attention to the long-life span of medical devices which often cannot be updated to the latest software or operating system which can also create vulnerabilities in systems.

Most medical devices now use some sort of software system, database, application programming language, or external communication systems which function as communication windows but can also become intrusion points for malicious attacks, he went on to say.

For this reason, he underscored the importance of management should be considered from the moment of developing a medical device.

He noted the overlapping requirements between the FDA, Medical Device Regulations (MDR), and the IMDRF. Accordingly, all three cyber security requirements from the aforementioned regulatory bodies generally comprise static and dynamic code analysis, vulnerability scanning, robustness testing, security feature testing, and penetration testing.

Domestic and foreign medical device cyber security requirements

Specifically, he mentioned that the FDA has led the way as they were the first to publish pre- and post-market submission guidance documents in 2014 and 2016 and recently published an updated draft of pre-market cyber security requirements in 2022.

Meanwhile, the MDR and IMDRF followed suit, and both published their pre- and post-market cyber security requirements in 2019 and 2022 respectively.

In this regard, Korea’s Ministry of Food Drug and Safety (MFDS) also published updated cyber security approval guidelines for medical devices in January last year about strengthening policies for cyber security in terms of clarifying cyber security application targets and standardizing requirements. As a result, it now reflects the IMDRF medical device cyber security standards.

The cyber security guidelines originally pertained to medical devices that send and receive personal medical information such as patient biometric information using wired and wireless communication, control devices, and software but were expanded to medical devices that have a communication path among medical devices including software.

Additionally, requirements that previously differed based on the device’s cyber security safety rating are now evaluated based on the degree of harm it can cause, the medical device communication method, and the specific application and environment of use.

He also stated that Japan will implement the IMDRF medical device cyber security guidelines starting next month.

Boosting cyber security

However, he pointed out that cyber security requirements for medical devices should be considered from the R&D stage to develop a secure medical device. Still, many manufacturers often struggle with cyber security readiness as they just build the device to be functional.

He recommended assessing the device against the confidentiality, integrity, and availability (CIA) principles to uncover any vulnerabilities in medical devices.

For example, confidentiality refers to data that should not be disclosed to unauthorized persons or used for unauthorized persons while integrity is related to the device’s data which should not be converted or destroyed in an unauthorized manner. Meanwhile, availability means the data must be immediately available to authorized users in the form necessary and when necessary.

“This should be followed by a risk level score according to the Common Vulnerability Scoring System Version (CVSS) 3.0 and risk management assessment in accordance with the ISO 14971 standard which previously only spoke to the safety of the device but now also includes cyber security,” he explained.

Copyright © KBR Unauthorized reproduction, redistribution prohibited