The cybersecurity of medical devices is a growing topic of interest, as new generation devices are often governed by softwares in order to fine tune their performances and to connect them to the wider digital network typical of new healthcare models.
A new guideline addressing the cybersecurity aspects of medical devices and in vitro diagnostics was published in December 2019 by the Medical Devices Coordination Group (MDCG), the group of experts providing technical support and consultancy to the European Commission. The new guideline will complement and support the entry into force in May 2020 of the new Medical Device (MD) regulation EU/745/2017. The document addresses the essential IT safety requirements for all medical devices that incorporate electronic programmable systems and software, that are medical devices in themselves.
Many new opportunities from the interconnected devices
Integral systems for the administration of medicines or the remote monitoring of patho-physiological parameters have become quite common practices. A simple smart watch, for example, may have a great impact on the quality of life experienced by patients, who may not need to visit the hospital for controls, and for the sustainability of healthcare costs, thanks to the optimisation of the internal activities. With the advent of the Internet of Things, doctors can interact with their patients from remote, and also physical therapy can be administered through videos. Diagnosis is also concerned, as artificial intelligence is increasingly used to analyse big amount of diagnostic data (e.g. X-ray images) and provide medical doctors with possibile suggestions. These are all examples where softwares play an important role in the proper functioning of apparels classified from the regulatory point of view as medical devices.
The MDCG 2019-16 guideline discusses the essential requirements for IT safety which are part of Annex 1 to the MD and IDV regulations, and it aligns the European approach to the one described by the “IMDRF principles and practices for medical device cybersecurity” guideline published by the International Medical Device Regulators Forum. The public consultation on this last guideline closed on 2 December 2019.
The risks for IT safety
The MDCG guideline is based on a risk analysis approach in which different categories of risks for the IT safety of the devices have been identified. These have been addressed both from a pre- and post-sales perspective, including also the protection from undesired accesses.
The security of the IT infrastructure is the first level to be considered in the risk analysis, a prerequisite for the design and development of a new medical device. With this respect, it is important to ensure the protection against the possibility to alter the characteristics of the infrastructure in order to prevent any possible misuse of the device, different from the intended use. A key element to achieve this is the confidentiality of all information acquired through the device; according to the guideline, this parameter should be always considered vs how critical is the the state of the healthcare situation/condition and the significance of the information provided by the product functionality. Confidentiality is a must also when the device is turned off, together with data integrity and the availability of the respective processes, data, devices and connected systems. This approach is often identified by the use of the acronym CIA, “Confidentiality, integrity and availability”.
Requirements in the Operation Security domain ask to provide safeguards against the possibility to alter procedures and fluxes of information, while in the Information Security domain the focus is on the protection against theft, cancellation or alteration of the data which are stored or transmitted by the cybernetic systems.
The risk-benefit for the patient
The evaluation of the risk linked to the use of the device vs the benefits for the health of the patient should always represent the main reference point to assess the safety and efficacy requirements of a medical device. The risk analysis, says the MDCG, should consider the entire life cycle of the device and be based on the latest evidences on cybersecurity; the request is to demonstrate that the adopted approach is proportional to the risks identified for the device.
From a IT perspective, possible safety risks include the possibility of data breaching, or loss of efficacy of the device. These risks should be always considered within the risk analysis. Should the safety level be to low, for example, accesses to the device might be insufficiently checked and controlled, and hacking of the device’s parameters might occur (e.g. in the case of a pace-maker). On the other hand, a too high safety level might impact on the health of the patient, for example should healthcare professionals not be able to access the pace-maker setup during an emergency.
Non-conventional players (e.g. the big IT companies) must be also considered in the risk analysis, as they may play important roles in the transmission and availability of the information collected through the device. The guideline also addresses some requirements that are not mentioned in the Annex 1 to the MD regulation, but that are a consequence of the regulation itself or of other European pieces of legislation, i.e.the GDPR regulation on protection of personal data, the Cybersecurity Act or the NIS directive on security of network and information systems.
The key principles for risk prevention
The “layered defence-in-depth” and the “good security hygiene” are the two key principles identified by the MDCG guideline to evaluate expectations for the IT safety of the device with respect to its use environment. These may include both protection and performance characteristics and they should be clearly made available to users.
The guideline also introduces the concept of “reasonably foreseeable misuse”, which is also part of the risk analysis as a consequence of the complexity of IT systems. This may imply an increased vulnerability, “which is deemed to be exploitable for a given implementation of software, might be discovered and exploited over time and as such should be regarded as an enabler for reasonably foreseeable misuse”. This type of risk should be always removed or minimised by manufacturers, even if it could be a difficult target to achieve. The misuse may also result from the specific situation, the specific software configuration and use environment, all element difficult to value in the design and development phases. An unsafe USB key might be used to transfer data, for example (a foreseeable misuse), or a CD might be used to visualise X-ray images (an intentional use).
Furthermore, healthcare professionals should always make use of good cybersecurity practices in order to minimise the risk connect to how their own IT infrastructures are managed, something that may greatly vary across different hospitals and other institutions.
Identify all responsibilities
Even if the final responsibility for a certain medical device or in vitro diagnostics always pertains to its manufacturer, it is important to make clear the roles and responsibilities of all the other players that participate to the product life cycle. This may be done though the specific clauses included in contracts, which are used to clearly inform about the framework of shared responsibility, e.g. with respect to software updates different from the ones approved by the manufacturer and that might alter the functions or safety of the device.
The integration in the Internet of Things network is another sensitive point to be considered, as “integration has the potential to improve information security because it will allow the implementation of additional technical protection measures that have to be based on the specific integration environment, e.g. authenticated communication nodes and authenticated users and roles, and encrypted data flow”. This is to say that the blockchain technology may also be used to improve the cybersecurity of the network.
From this perspective, the company acting as the integrator is usually different from the manufacturer of the device or from its user. In any case, says the guideline, the final responsibility is of the manufacturer, that signed a service contract with the integrator. Hospitals and healthcare providers are responsible for the integration of the device within their own network, while the integrator is responsible for the system installation and configuration and for the integration with the pre-existing environment. Operators are responsible to use medical devices according to the manufacturers’ instructions; this include also the disconnection of the device from the Internet when not in use, and the need to run all the required updates of the software, as well as the training on IT safety for all personnel. Patients too are called to follow the instructions of the manufacturer; they should pay attention to the privacy aspects, the safety of the IT network used and to any suspected security event or message. All IT hardware used to connect to medical devices (i.e. PCs, tablets, smartphones, etc) should always comply with the more recent requirements released by manufacturers of the devices.